StarCitizenTools/Citizen-Skin, Stored XSS in Search No-Result Messages, CVE-2025-XXXXX (Moderate)

Listen to this Post

🐢▶️ Listen🚀

How the CVE Works

The vulnerability exists in the `citizen-search-noresults-` and `citizen-search-noresults-desc` system messages, which are rendered as raw HTML via Mustache templates. Attackers with `editinterface` permissions (but not editsitejs) can inject malicious HTML/JavaScript payloads. When users encounter a search with no results, the injected script executes in their browser, leading to stored Cross-Site Scripting (XSS). The Mustache template (TypeaheadPlaceholder.mustache) fails to sanitize input, allowing arbitrary DOM manipulation.

DailyCVE Form

Platform: StarCitizenTools/Citizen-Skin
Version: >=2.31.0, <3.3.1
Vulnerability: Stored XSS
Severity: Moderate
Date: Jun 13, 2025

Prediction: Patch expected by Jun 20, 2025

What Undercode Say:

Exploitation:

1. Payload Injection:

<img src="" onerror="alert('XSS')">

Edit system messages to inject this payload.

2. Triggering XSS:

fetch('/api.php?action=query&meta=allmessages&ammessages=citizen-search-noresults-&format=json')

Confirms message manipulation.

Mitigation:

1. Immediate Workaround:

$wgRawHtml = false; // Disable raw HTML in MediaWiki

2. Sanitization Patch:

// In TypeaheadPlaceholder.mustache
{{{ escapeHtml citizen-search-noresults- }}}

3. Update:

composer require starcitizentools/mediawiki-skins-citizen:3.3.1

4. Log Analysis:

SELECT FROM logging WHERE log_type = 'edit' AND log_ LIKE '%citizen-search-noresults%';

5. CSP Header:

add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'";

6. Detection Script:

import requests
response = requests.get('https://wiki.example.com/Special:AllMessages').text
if '<img onerror' in response:
print("XSS Detected")

7. Revert Malicious Edits:

php maintenance/deleteRevision.php --revid <malicious_rev_id>

8. Audit Permissions:

php maintenance/userOptions.php --user <username> --get groups

9. Monitoring:

tail -f /var/log/mediawiki/security.log | grep "editinterface"

10. Backup:

php maintenance/dumpBackup.php --full > wiki_backup.xml

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram