CVE-2025-49575

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-49575

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49575.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-49575

Aliases

GHSA-4c2h-67qq-vm87

Published

2025-06-12T19:15:20Z

Modified

2025-06-16T15:51:22.996508Z

Summary

[none]

Details

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the editinterface but not the editsitejs user right. This vulnerability is fixed in 3.3.1.

References

Affected packages

Git / github.com/starcitizentools/mediawiki-skins-citizen

Affected ranges

Type: GIT
Repo: https://github.com/starcitizentools/mediawiki-skins-citizen
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5

Fixed

93c36ac778397e0e7c46cf7adb1e5d848265f1bd

Affected versions

v1.*

v1.10.0

v1.13.0

v1.14.0

v1.14.1

v1.15.0

v1.16.0

v1.16.1

v1.17.0

v1.17.1

v1.17.2

v1.17.3

v1.17.4

v1.17.5

v1.17.6

v1.17.7

v1.17.8

v1.17.9

v1.9.4

v1.9.5

v2.*

v2.0.0

v2.0.0-alpha.0

v2.0.0-alpha.1

v2.0.0-alpha.2

v2.0.0-beta.0

v2.0.0-beta.1

v2.0.0-beta.2

v2.0.0-beta.3

v2.0.0-beta.4

v2.0.1

v2.1.0

v2.10.0

v2.10.1

v2.11.0

v2.11.1

v2.12.0

v2.13.0

v2.13.1

v2.13.2

v2.13.3

v2.13.4

v2.13.5

v2.14.0

v2.14.1

v2.15.0

v2.15.1

v2.16.0

v2.16.1

v2.17.0

v2.17.1

v2.17.2

v2.18.0

v2.18.1

v2.19.0

v2.2.0

v2.20.0

v2.21.0

v2.22.0

v2.22.1

v2.23.0

v2.24.0

v2.25.0

v2.26.0

v2.27.0

v2.28.0

v2.29.0

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.30.0

v2.31.0

v2.32.0

v2.33.0

v2.34.0

v2.35.0

v2.36.0

v2.37.0

v2.38.0

v2.38.1

v2.38.2

v2.38.3

v2.39.0

v2.39.1

v2.39.2

v2.39.3

v2.39.4

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.40.0

v2.40.1

v2.40.2

v2.5.0

v2.5.1

v2.5.2

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.7.0

v2.7.1

v2.7.10

v2.7.11

v2.7.2

v2.7.3

v2.7.4

v2.7.5

v2.7.6

v2.7.7

v2.7.8

v2.7.9

v2.8.0

v2.8.1

v2.8.2

v2.8.3

v2.8.4

v2.8.5

v2.9.0

v2.9.1

v3.*

v3.0.0

v3.1.0