Listen to this Post
The CVE-2025-21234 vulnerability exists within the `copyButtonAttributes` function of the Citizen skin’s `stickyHeader.js` file. This function is responsible for transferring button labels to the sticky header when a user scrolls on a wiki page. The flaw occurs when the function sets the `innerHTML` property of the new header element to the `textContent` of the original page element. Because `textContent` returns raw text and `innerHTML` parses its input as HTML, any HTML entities within the original button label are unescaped and interpreted. An attacker with `editinterface` rights, such as a sysop, can inject a malicious script into a system message. For example, by embedding an image tag with an `onerror` event handler (<img src="" onerror="alert('XSS')">), the payload is stored and subsequently executed in the browsers of any user who views the page and triggers the sticky header, leading to a stored Cross-site Scripting attack.
Platform: MediaWiki Skin
Version: >=3.3.0, <3.9.0
Vulnerability : Stored XSS
Severity: Moderate
date: 2024-10-17
Prediction: Patch released 2025-10-20
What Undercode Say:
`grep -n “innerHTML” resources/skins.citizen.scripts/stickyHeader.js`
`git log –oneline –grep=”3.9.0″`
`curl -s https://raw.githubusercontent.com/StarCitizenTools/mediawiki-skins-Citizen/v3.9.0/resources/skins.citizen.scripts/stickyHeader.js | head -50`
How Exploit:
Malicious user edits system message.
Inserts `![]()
`.
Victim scrolls, script executes.
Protection from this CVE
Upgrade to v3.9.0.
Sanitize user-controlled data.
Use textContent over innerHTML.
Impact:
Arbitrary script execution.
Session hijacking potential.
Privilege escalation risk.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
