Volerion logoVolerion
Volerion logoVolerion

Citizen MediaWiki Skin Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in the Citizen skin for MediaWiki, affecting versions 1.9.4 prior to 3.4.0. The issue arises because page descriptions are inserted into raw HTML without proper sanitization when using the old search bar. This allows users with page editing privileges to inject XSS payloads that will be executed in the DOM of other users searching for specific pages.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, disable the command palette and use the action API as the search gateway. Then, create a page with an XSS payload in the description, and search for that page using the old search bar.

Remediation

Users are advised to update to Citizen version 3.4.0 or later, where this vulnerability has been patched.

Added: Jul 3, 2025, 8:26 PM
Updated: Jul 3, 2025, 8:26 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
1.7
exploitability
6.6
remediation
7.7
relevance
0.2
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.