VYPR
Vendor

Starcitizentools

Products
5
CVEs
14
Across products
14
Status
Private

Products

5

Recent CVEs

14
  • CVE-2025-53369HigJul 3, 2025
    risk 0.49cvss 8.6epss 0.00

    Short Description is a MediaWiki extension that provides local short description support. In version 4.0.0, short descriptions are not properly sanitized before being inserted as HTML using mw.util.addSubtitle, allowing any user to insert arbitrary HTML into the DOM by editing a…

  • CVE-2025-53093HigJun 27, 2025
    risk 0.49cvss 8.6epss 0.00

    TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Starting in version 3.0.0 and prior to version 3.1.1, any user can insert arbitrary HTMLinto the DOM by inserting a payload into any allowed attribute of the `` tag. Version 3.1.1 contains a patch…

  • CVE-2025-21612HigJan 6, 2025
    risk 0.49cvss 8.6epss 0.00

    TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Prior to 2.7.2, TabberTransclude.php doesn't escape the user-supplied page name when outputting, so an XSS payload as the page name can be used here. This vulnerability is fixed in 2.7.2.

  • CVE-2025-62508MedOct 17, 2025
    risk 0.35cvss 6.5epss 0.00

    Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Citizen from 3.3.0 to 3.9.0 are vulnerable to stored cross-site scripting in the sticky header button message handling. In stickyHeader.js the copyButtonAttributes function assigns innerHTML from…

  • CVE-2025-53370Jul 3, 2025
    risk 0.00cvss epss 0.00

    Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, short descriptions set via the ShortDescription extension are inserted as raw HTML by the Citizen skin, allowing any user to insert arbitrary HTML into the DOM…

  • CVE-2025-53368Jul 3, 2025
    risk 0.00cvss epss 0.00

    Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, page descriptions are inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar. Any user with page editing…

  • CVE-2025-49576Jun 12, 2025
    risk 0.00cvss epss 0.00

    Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.…

  • CVE-2025-49578Jun 12, 2025
    risk 0.00cvss epss 0.00

    Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various date messages returned by `Language::userDate` are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a…

  • CVE-2025-49579Jun 12, 2025
    risk 0.00cvss epss 0.00

    Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts…

  • CVE-2025-49575Jun 12, 2025
    risk 0.00cvss epss 0.00

    Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a…

  • CVE-2025-49577Jun 12, 2025
    risk 0.00cvss epss 0.00

    Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1.

  • CVE-2024-47536Sep 30, 2024
    risk 0.00cvss epss 0.00

    Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. This vulnerability is fixed in 2.31.0.

  • CVE-2024-36123Jun 3, 2024
    risk 0.00cvss epss 0.00

    Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The page `MediaWiki:Tagline` has its contents used unescaped, so custom HTML (including Javascript) can be injected by someone with the ability to edit the MediaWiki namespace (typically those…

  • CVE-2022-21710Jan 24, 2022
    risk 0.00cvss epss 0.01

    ShortDescription is a MediaWiki extension that provides local short description support. A cross-site scripting (XSS) vulnerability exists in versions prior to 2.3.4. On a wiki that has the ShortDescription enabled, XSS can be triggered on any page or the page with the…