CVE-2025-62508: Citizen vulnerable to stored XSS in sticky header button messages
The JS implementation for copying button labels to the sticky header in the Citizen skin unescapes HTML characters, allowing for stored XSS through system messages.
References
- github.com/StarCitizenTools/mediawiki-skins-Citizen
- github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/e006923c6dbf113c9a025ca186ecc09fe7b93a15
- github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/fbb1d4fe9627281567706f3f6fc99a42ce16fdc4
- github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-g955-vw6w-v6pp
- github.com/advisories/GHSA-g955-vw6w-v6pp
- nvd.nist.gov/vuln/detail/CVE-2025-62508
Code Behaviors & Features
Detect and mitigate CVE-2025-62508 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →