CVE-2025-49576

Опубликовано: 12 июн. 2025

Источник: nvd

CVSS3: 6.5

CVSS3: 5.4

EPSS Низкий

Описание

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1.

Ссылки

https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd
Patch
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/a0296afaedbe1a277337a2d8f1da83cb3a79b9ab
Patch
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-86xf-2mgp-gv3g
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:starcitizen.tools:citizen:*:*:*:*:*:mediawiki:*:*

Версия до 3.3.1 (исключая)

EPSS

Процентиль: 7%

0.00028

Низкий

6.5 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-86xf-2mgp-gv3g

CVSS3: 6.5

github

8 месяцев назад

starcitizentools/citizen-skin allows stored XSS in search no result messages

EPSS

Процентиль: 7%

0.00028

Низкий

6.5 Medium

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79