Citizen stored XSS vulnerability through short descriptions
Description
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, short descriptions set via the ShortDescription extension are inserted as raw HTML by the Citizen skin, allowing any user to insert arbitrary HTML into the DOM by editing a page. This issue has been patched in version 3.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In the Citizen MediaWiki skin, short descriptions are rendered as raw HTML without sanitization, enabling stored XSS via any page edit.
Vulnerability
Analysis
The Citizen skin for MediaWiki, from version 1.9.4 to before 3.4.0, fails to sanitize the html-tagline variable that is derived from the shortdesc property of the page. The short description, typically set via the ShortDescription extension using the {{SHORTDESC:...}} parser function, is retrieved from $this->out->getProperty( 'shortdesc' ) and passed directly into template data without escaping. The template then inserts this value into {{{html-tagline}}}, which renders it as raw HTML in the page DOM [2].
Exploitation
An attacker with any level of edit access on a wiki (including unprivileged users, as the skin does not enforce any special rights for setting short descriptions) can inject arbitrary HTML. The proof of concept involves adding {{SHORTDESC:}} to any editable page. When another user visits that page, the unsanitized short description is rendered, executing the attacker's HTML or JavaScript in the victim's browser [2]. No special authentication or network position is required beyond normal editing permissions.
Impact
Successful exploitation enables stored cross-site scripting (XSS) [1]. This allows the attacker to execute arbitrary JavaScript in the context of the wiki, potentially stealing session cookies, modifying page content, performing actions on behalf of the victim, or escalating privileges depending on the wiki's configuration and the attacker's existing permissions.
Mitigation
The vulnerability has been patched in Citizen version 3.4.0, released on July 3, 2025, which sanitizes the short description output before rendering [4]. Administrators are strongly advised to upgrade to 3.4.0 or later immediately. No other workarounds are documented.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
starcitizentools/citizen-skinPackagist | >= 1.9.4, < 3.4.0 | 3.4.0 |
Affected products
2- StarCitizenTools/mediawiki-skins-Citizenv5Range: >= 65a7ffd927467c8c3557146d1ac6de62b0369b6c, < c85a40bddc8651fff66df83a72debddcb34f0521
Patches
2c85a40bddc86fix(SECURITY): 🐛 🔒️ sanitize short description page tagline
1 file changed · +1 −1
includes/Components/CitizenComponentPageHeading.php+1 −1 modified@@ -248,7 +248,7 @@ private function getTagline(): string { // from Extension:ShortDescription $shortdesc = $this->out->getProperty( 'shortdesc' ); if ( $shortdesc ) { - $tagline = $shortdesc; + $tagline = htmlspecialchars( $shortdesc, ENT_QUOTES ); } else { $tagline = $this->determineTagline(); }
aedbceb3380bfix(SECURITY): 🐛 🔒️ sanitize search result descriptions in old search module
1 file changed · +1 −1
resources/skins.citizen.search/templates/TypeaheadListItem.mustache+1 −1 modified@@ -15,7 +15,7 @@ <div class="citizen-typeahead-list-item-text"> {{#text}}{{.}}{{/text}} {{#title}}<div class="citizen-typeahead-list-item-title">{{{.}}}</div>{{/title}} - {{#description}}<div class="citizen-typeahead-list-item-description">{{{.}}}</div>{{/description}} + {{#description}}<div class="citizen-typeahead-list-item-description">{{.}}</div>{{/description}} </div> {{#html-end}}<div class="citizen-typeahead-list-item-end">{{{.}}}</div>{{/html-end}} </a>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-prmv-7r8c-794gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-53370ghsaADVISORY
- github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/aedbceb3380bb48db6b59e272fc187529c71c8caghsaWEB
- github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/c85a40bddc8651fff66df83a72debddcb34f0521ghsax_refsource_MISCWEB
- github.com/StarCitizenTools/mediawiki-skins-Citizen/releases/tag/v3.4.0ghsax_refsource_MISCWEB
- github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-prmv-7r8c-794gghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.