Listen to this Post
How the CVE Works
The vulnerability exists in the `Menu.mustache` template of the Citizen-Skin for MediaWiki. System messages for menu headings are inserted into the DOM as raw HTML without proper sanitization. An attacker with `editinterface` permissions (but not editsitejs) can inject malicious JavaScript via crafted menu headings. When rendered, this executes arbitrary code in the context of the victim’s session, leading to stored Cross-Site Scripting (XSS). The PoC demonstrates exploitation via the `uselang` parameter, triggering XSS payloads in navigation elements.
DailyCVE Form
Platform: MediaWiki
Version: >=2.4.2, <3.3.1
Vulnerability: Stored XSS
Severity: Moderate
Date: Jun 13, 2025
Prediction: Patch expected by Jun 20, 2025
What Undercode Say:
Exploitation:
1. Payload Injection:
<script>alert(document.cookie)</script>
Inserted via `editinterface`-allowed message edits.
2. Trigger via URL:
https://target.wiki/Main_Page?uselang=x-xss
Protection:
1. Immediate Mitigation:
// Sanitize output in Menu.mustache htmlspecialchars($message, ENT_QUOTES, 'UTF-8');
2. .htaccess Rule:
RewriteCond %{QUERY_STRING} uselang=.xss [bash]
RewriteRule ^ - [F,L]
3. MediaWiki Hook:
$wgHooks['EditFilter'][] = function($editPage, $text, $section, &$error) {
if (preg_match('/
<script/i', $text)) {
$error = 'XSS attempt blocked';
return false;
}
};
Post-Patch Verification:
curl -I "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/releases/tag/3.3.1" | grep 200
Log Analysis:
SELECT FROM logging WHERE log_type = 'edit' AND log_comment LIKE '%xss%';
Browser Console Check:
document.querySelectorAll('.citizen-menu__heading').forEach(el => {
if (el.innerHTML.includes('<script')) console.warn('XSS detected!');
});
Upgrade Command:
composer require starcitizentools/citizen-skin:3.3.1
Sources:
Reported By: [github.com](https://github.com/advisories/GHSA-g3cp-pq72-hjpv)
Extra Source Hub:
Undercode
Join Our Cyber World:
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)