Sign in Get started

← All vendors

Vendor

Starcitizentools

Sign in to watch

Products

2

CVEs

2

Across products

2

Status

Private

Products

2

Mediawiki Extensions Shortdescription
1 CVE
Mediawiki Skins Citizen
1 CVE

Recent CVEs

2

CVE	Sev	Risk	CVSS	EPSS	KEV	Published	Description
CVE-2025-62508	Med	0.35	6.5	0.00		Oct 17, 2025	Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Citizen from 3.3.0 to 3.9.0 are vulnerable to stored cross-site scripting in the sticky header button message handling. In stickyHeader.js the copyButtonAttributes function assigns innerHTML from a source element’s textContent when copying button labels. This causes escaped HTML in system message content (such as citizen-share, citizen-view-history, citizen-view-edit, and nstab-talk) to be interpreted as HTML in the sticky header, allowing injection of arbitrary script by a user with the ability to edit interface messages. The vulnerability allows a user with the editinterface right but without the editsitejs right (by default the sysop group has editinterface but may not have editsitejs) to execute arbitrary JavaScript in other users’ sessions, enabling unauthorized access to sensitive data or actions. The issue is fixed in 3.9.0.
CVE-2022-21710		0.00	—	0.00		Jan 24, 2022	ShortDescription is a MediaWiki extension that provides local short description support. A cross-site scripting (XSS) vulnerability exists in versions prior to 2.3.4. On a wiki that has the ShortDescription enabled, XSS can be triggered on any page or the page with the action=info parameter, which displays the shortdesc property. This is achieved using the wikitext `{{SHORTDESC:<img src=x onerror=alert()>}}`. This issue has a patch in version 2.3.4.