VYPR
← All advisories
High severityNVD Advisory· Published Jul 3, 2025· Updated Jul 3, 2025

Citizen is vulnerable to stored XSS attack in the legacy search bar

CVE-2025-53368

Description

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, page descriptions are inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar. Any user with page editing privileges can insert cross-site scripting (XSS) payloads into the DOM for other users who are searching for specific pages. This issue has been patched in version 3.4.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A stored XSS vulnerability in the Citizen MediaWiki skin allows users with page editing privileges to inject arbitrary JavaScript via unsanitized page descriptions in the legacy search bar.

Vulnerability

CVE-2025-53368 is a stored cross-site scripting (XSS) vulnerability in the Citizen MediaWiki skin, affecting versions from 1.9.4 up to (but not including) 3.4.0 [1][2]. The issue occurs in the old (legacy) search bar module, where page descriptions retrieved from sources such as TextExtracts or Description2 are inserted directly into the DOM as raw HTML without escaping or sanitization [2]. Specifically, the template {{{.}}} renders user-controlled description content verbatim [2].

Exploitation

Any user with the ability to create or edit pages can exploit this by inserting an XSS payload (e.g., `) into a page's description. An attacker must also ensure the wiki is configured with the command palette disabled ($wgCitizenEnableCommandPalette = false;), the Action API as the search gateway ($wgCitizenSearchGateway = 'mwActionApi';), and a supported description source enabled (such as TextExtracts with $wgCitizenSearchDescriptionSource = 'textextracts'; or Description2 with $wgCitizenSearchDescriptionSource = 'pagedescription';`) [2]. When another user opens the search modal and looks for the affected page, the malicious description is rendered, executing the attacker's script in the context of the searching user's session [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the browsers of other wiki users who search for specific pages. This can lead to session hijacking, defacement, theft of sensitive cookies or tokens, or further actions under the victim's credentials [1][2]. The vulnerability does not require the victim to have any special privileges beyond being able to search on the wiki.

Mitigation

The vulnerability has been fixed in Citizen skin version 3.4.0, released on 2025-07-03 [1][4]. The fix sanitizes search result descriptions in the old search module and also addresses a related tagline XSS (CVE-2025-53370) [4]. Administrators are strongly advised to update to version 3.4.0 or later. For installations that cannot immediately upgrade, disabling the legacy search bar or ensuring description sources are not enabled may serve as temporary mitigations, though patching is the recommended action [4].

References
  1. NVD - CVE-2025-53368
  2. Stored XSS in the legacy search bar through page descriptions
  3. Release v3.4.0 · StarCitizenTools/mediawiki-skins-Citizen

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
starcitizentools/citizen-skinPackagist
>= 1.9.4, < 3.4.03.4.0

Affected products

2
  • Citizen/Citizenllm-fuzzy
    Range: >=1.9.4, <3.4.0
  • StarCitizenTools/mediawiki-skins-Citizenv5
    Range: >= 1.9.4, < 3.4.0

Patches

1
aedbceb3380b

fix(SECURITY): 🐛 🔒️ sanitize search result descriptions in old search module

https://github.com/StarCitizenTools/mediawiki-skins-CitizenSomeRandomDeveloperJul 3, 2025via ghsa
commit
1 file changed · +1 1
  • resources/skins.citizen.search/templates/TypeaheadListItem.mustache+1 1 modified
    @@ -15,7 +15,7 @@
 		<div class="citizen-typeahead-list-item-text">
 			{{#text}}{{.}}{{/text}}
 			{{#title}}<div class="citizen-typeahead-list-item-title">{{{.}}}</div>{{/title}}
-			{{#description}}<div class="citizen-typeahead-list-item-description">{{{.}}}</div>{{/description}}
+			{{#description}}<div class="citizen-typeahead-list-item-description">{{.}}</div>{{/description}}
 		</div>
 		{{#html-end}}<div class="citizen-typeahead-list-item-end">{{{.}}}</div>{{/html-end}}
 	</a>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.