Packagist (Composer) package
starcitizentools/citizen-skin
pkg:composer/starcitizentools/citizen-skin
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-62508 | Med | 6.5 | >= 3.3.0, < 3.9.0 | 3.9.0 | Oct 17, 2025 | Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Citizen from 3.3.0 to 3.9.0 are vulnerable to stored cross-site scripting in the sticky header button message handling. In stickyHeader.js the copyButtonAttributes function assigns innerHTML from a | |
| CVE-2025-53370 | — | >= 1.9.4, < 3.4.0 | 3.4.0 | Jul 3, 2025 | Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, short descriptions set via the ShortDescription extension are inserted as raw HTML by the Citizen skin, allowing any user to insert arbitrary HTML into the DOM | ||
| CVE-2025-53368 | — | >= 1.9.4, < 3.4.0 | 3.4.0 | Jul 3, 2025 | Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, page descriptions are inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar. Any user with page editing privilege | ||
| CVE-2025-49576 | — | >= 2.31.0, < 3.3.1 | 3.3.1 | Jun 12, 2025 | Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. | ||
| CVE-2025-49578 | — | >= 3.3.0, < 3.3.1 | 3.3.1 | Jun 12, 2025 | Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various date messages returned by `Language::userDate` are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a gro | ||
| CVE-2025-49579 | — | >= 2.4.2, < 3.3.1 | 3.3.1 | Jun 12, 2025 | Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wiki | ||
| CVE-2025-49575 | — | >= 2.4.2, < 3.3.1 | 3.3.1 | Jun 12, 2025 | Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group | ||
| CVE-2025-49577 | — | >= 2.13.0, < 3.3.1 | 3.3.1 | Jun 12, 2025 | Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1. | ||
| CVE-2024-47536 | — | >= 2.6.3, < 2.31.0 | 2.31.0 | Sep 30, 2024 | Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. This vulnerability is fixed in 2.31.0. |
- affected >= 3.3.0, < 3.9.0fixed 3.9.0
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Citizen from 3.3.0 to 3.9.0 are vulnerable to stored cross-site scripting in the sticky header button message handling. In stickyHeader.js the copyButtonAttributes function assigns innerHTML from a
- CVE-2025-53370Jul 3, 2025affected >= 1.9.4, < 3.4.0fixed 3.4.0
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, short descriptions set via the ShortDescription extension are inserted as raw HTML by the Citizen skin, allowing any user to insert arbitrary HTML into the DOM
- CVE-2025-53368Jul 3, 2025affected >= 1.9.4, < 3.4.0fixed 3.4.0
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, page descriptions are inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar. Any user with page editing privilege
- CVE-2025-49576Jun 12, 2025affected >= 2.31.0, < 3.3.1fixed 3.3.1
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.
- CVE-2025-49578Jun 12, 2025affected >= 3.3.0, < 3.3.1fixed 3.3.1
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various date messages returned by `Language::userDate` are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a gro
- CVE-2025-49579Jun 12, 2025affected >= 2.4.2, < 3.3.1fixed 3.3.1
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wiki
- CVE-2025-49575Jun 12, 2025affected >= 2.4.2, < 3.3.1fixed 3.3.1
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group
- CVE-2025-49577Jun 12, 2025affected >= 2.13.0, < 3.3.1fixed 3.3.1
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1.
- CVE-2024-47536Sep 30, 2024affected >= 2.6.3, < 2.31.0fixed 2.31.0
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. This vulnerability is fixed in 2.31.0.