CVE-2025-53370 Overview
CVE-2025-53370 is a Cross-Site Scripting (XSS) vulnerability affecting the Citizen skin for MediaWiki. The vulnerability exists in versions 1.9.4 to 3.4.0 of the Citizen skin, where short descriptions set via the ShortDescription extension are inserted as raw HTML without proper sanitization. This allows any authenticated user with page editing privileges to inject arbitrary HTML into the DOM, potentially leading to client-side attacks against other users viewing the affected pages.
Critical Impact
Authenticated attackers can inject arbitrary HTML and JavaScript into MediaWiki pages using the ShortDescription feature, enabling session hijacking, credential theft, defacement, and other client-side attacks against wiki visitors.
Affected Products
- Citizen MediaWiki Skin versions 1.9.4 to 3.3.x
- MediaWiki installations using the Citizen skin with ShortDescription extension
- starcitizen.tools citizen (cpe:2.3:a:starcitizen.tools:citizen:*:*:*:*:*:mediawiki:*:*)
Discovery Timeline
- 2025-07-03 - CVE-2025-53370 published to NVD
- 2025-08-22 - Last updated in NVD database
Technical Details for CVE-2025-53370
Vulnerability Analysis
This Cross-Site Scripting vulnerability occurs in the CitizenComponentPageHeading.php component of the Citizen skin. When the ShortDescription extension is enabled, the Citizen skin retrieves the short description property from the output page object and directly incorporates it into the page heading area without applying HTML sanitization. Since MediaWiki allows users with editing privileges to set short descriptions for pages, an attacker can craft a malicious short description containing JavaScript or other harmful HTML elements that will execute in the browsers of users viewing the page.
The vulnerability is classified as a stored XSS because the malicious payload persists in the wiki's database and affects all users who subsequently view the compromised page. The changed scope in the vulnerability assessment indicates that the attack can affect resources beyond the security scope of the vulnerable component.
Root Cause
The root cause is improper input validation (CWE-79) in the Citizen skin's page heading component. The $shortdesc variable retrieved from the Extension:ShortDescription property is directly assigned to the $tagline variable without sanitization, allowing raw HTML content to be rendered in the page output. The vulnerable code path trusts user-controlled input from the ShortDescription extension without encoding special characters.
Attack Vector
The attack vector is network-based and requires an authenticated user with page editing privileges. The attacker edits a wiki page and sets a malicious short description containing JavaScript or HTML injection payloads. When other users view the page, the unsanitized short description is rendered in their browsers, executing the injected code in the context of the wiki domain.
// Vulnerable code before patch (CitizenComponentPageHeading.php)
// from Extension:ShortDescription
$shortdesc = $this->out->getProperty( 'shortdesc' );
if ( $shortdesc ) {
$tagline = $shortdesc;
} else {
$tagline = $this->determineTagline();
}
Source: GitHub Commit c85a40bddc8651fff66df83a72debddcb34f0521
Detection Methods for CVE-2025-53370
Indicators of Compromise
- Unusual HTML tags or JavaScript code appearing in page short descriptions
- Unexpected external resource requests originating from wiki pages
- User reports of suspicious pop-ups, redirects, or behavior when viewing specific wiki pages
- Short descriptions containing event handlers like onerror, onload, onclick, or <script> tags
Detection Strategies
- Review recent changes to page short descriptions for suspicious HTML or JavaScript content
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Monitor browser console errors that may indicate blocked XSS attempts
- Audit wiki edit logs for modifications to short descriptions containing encoded characters or HTML tags
Monitoring Recommendations
- Enable detailed logging for page edits, particularly those modifying short descriptions
- Configure web application firewalls to alert on common XSS patterns in wiki content
- Implement real-time monitoring for JavaScript execution anomalies in wiki pages
- Review user activity for accounts making unusual short description modifications
How to Mitigate CVE-2025-53370
Immediate Actions Required
- Upgrade the Citizen skin to version 3.4.0 or later immediately
- Audit existing short descriptions across the wiki for potentially malicious content
- Temporarily disable the ShortDescription extension if upgrade is not immediately possible
- Implement Content Security Policy headers to mitigate XSS impact
Patch Information
The vulnerability has been patched in Citizen skin version 3.4.0. The fix applies htmlspecialchars() with ENT_QUOTES flag to sanitize the short description before rendering:
// Patched code (CitizenComponentPageHeading.php)
// from Extension:ShortDescription
$shortdesc = $this->out->getProperty( 'shortdesc' );
if ( $shortdesc ) {
$tagline = htmlspecialchars( $shortdesc, ENT_QUOTES );
} else {
$tagline = $this->determineTagline();
}
Source: GitHub Commit c85a40bddc8651fff66df83a72debddcb34f0521
For detailed patch information, see the GitHub Security Advisory GHSA-prmv-7r8c-794g and version 3.4.0 release notes.
Workarounds
- Disable the ShortDescription extension until the Citizen skin can be updated
- Restrict page editing privileges to trusted users only
- Implement server-side content filtering to strip HTML from short descriptions
- Deploy Content Security Policy headers with script-src 'self' to prevent inline script execution
# Example Apache configuration to add CSP headers
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
