8.6
CVE-2025-53370
- EPSS 0.3%
- Veröffentlicht 03.07.2025 19:45:32
- Zuletzt bearbeitet 22.08.2025 14:19:32
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginCitizen stored XSS vulnerability through short descriptions
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, short descriptions set via the ShortDescription extension are inserted as raw HTML by the Citizen skin, allowing any user to insert arbitrary HTML into the DOM by editing a page. This issue has been patched in version 3.4.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Starcitizen.Tools ≫ Citizen SwPlatformmediawiki Version >= 1.9.4 < 3.4.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.3% | 0.214 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.3 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
|
| security-advisories@github.com | 8.6 | 3.9 | 4.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/releases/tag/v3.4.0
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-prmv-7r8c-794g
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/c85a40bddc8651fff66df83a72debddcb34f0521