Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.
                
            Metrics
Affected Vendors & Products
References
        History
                    Fri, 22 Aug 2025 19:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| First Time appeared | Starcitizen.tools Starcitizen.tools citizen | |
| CPEs | cpe:2.3:a:starcitizen.tools:citizen:*:*:*:*:*:mediawiki:*:* | |
| Vendors & Products | Starcitizen.tools Starcitizen.tools citizen | 
Mon, 14 Jul 2025 13:45:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | epss 
 | epss 
 | 
Thu, 12 Jun 2025 19:15:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Metrics | ssvc 
 | 
Thu, 12 Jun 2025 19:00:00 +0000
| Type | Values Removed | Values Added | 
|---|---|---|
| Description | Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1. | |
| Title | Citizen allows stored XSS in Command Palette tip messages | |
| Weaknesses | CWE-79 | |
| References |  | 
 | 
| Metrics | cvssV3_1 
 | 
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: GitHub_M
Published: 2025-06-12T18:45:23.363Z
Updated: 2025-06-12T18:58:25.445Z
Reserved: 2025-06-06T15:44:21.555Z
Link: CVE-2025-49575
 Vulnrichment
                        Vulnrichment
                    Updated: 2025-06-12T18:58:01.259Z
 NVD
                        NVD
                    Status : Analyzed
Published: 2025-06-12T19:15:20.160
Modified: 2025-08-22T18:59:49.710
Link: CVE-2025-49575
 Redhat
                        Redhat
                    No data.