CVE-2025-62508
BaseFortify
Publication date: 2025-10-17
Last updated on: 2025-10-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| starcitizentools | citizen | 3.9.0 |
| starcitizentools | citizen | 3.7.0 |
| starcitizentools | citizen | 3.3.0 |
| starcitizentools | citizen | 3.6.0 |
| starcitizentools | citizen | 3.5.0 |
| starcitizentools | citizen | 3.8.0 |
| starcitizentools | citizen | 3.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62508 is a stored Cross-Site Scripting (XSS) vulnerability in the Citizen skin of MediaWiki versions 3.3.0 to 3.9.0. It occurs because the JavaScript function copyButtonAttributes in stickyHeader.js sets innerHTML from a source element's textContent, which causes escaped HTML in system message content to be interpreted as actual HTML. This allows a user with the editinterface permission (but without editsitejs) to inject arbitrary scripts into sticky header button messages. When other users load pages with the Citizen skin, the malicious script executes in their browsers. [2]
How can this vulnerability impact me? :
This vulnerability allows an attacker with the editinterface permission to execute arbitrary JavaScript in other users' sessions without requiring user interaction. This can lead to unauthorized access to sensitive data or unauthorized actions performed on behalf of other users. The impact includes high confidentiality and integrity risks, such as data theft or modification, but does not affect availability. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your MediaWiki installation is using the Citizen skin versions from 3.3.0 to 3.9.0 and if users with the editinterface permission can inject malicious HTML into system messages such as citizen-share, citizen-view-history, citizen-view-edit, and nstab-talk. One way to detect exploitation attempts is to look for suspicious HTML or JavaScript payloads in these system messages. For example, you can query the MediaWiki database for these messages containing suspicious tags like <img> with onerror attributes. A sample SQL command to detect suspicious payloads might be: SELECT page_title, old_text FROM text INNER JOIN revision ON text.old_id = revision.rev_text_id INNER JOIN page ON revision.rev_page = page.page_id WHERE page.page_title IN ('Citizen-share', 'Citizen-view-history', 'Citizen-view-edit', 'Nstab-talk') AND old_text LIKE '%<img src="" onerror=%'; Additionally, monitoring HTTP requests for unusual script execution or alerts triggered by injected scripts can help detect exploitation. However, no specific network commands are provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Citizen MediaWiki skin to version 3.9.0 or later, where the vulnerability is fixed. The fix sanitizes or properly handles the input in stickyHeader.js to prevent stored cross-site scripting. Until the upgrade can be applied, restrict or review users with the editinterface permission to prevent untrusted users from injecting malicious scripts into system messages. Additionally, audit and clean any existing system messages that may contain malicious payloads. Applying the patch from commit e006923c6dbf113c9a025ca186ecc09fe7b93a15 also resolves the issue. [1, 2]