CVE-2025-62508

Name of the Vulnerable Software and Affected Versions Citizen versions 3.3.0 through 3.9.0

Description Citizen, a MediaWiki skin, has an issue where stored cross-site scripting can occur in the sticky header button message handling. The copyButtonAttributes function in stickyHeader.js assigns innerHTML from a source element’s textContent when copying button labels. This allows escaped HTML in system message content (such as citizen-share, citizen-view-history, citizen-view-edit, and nstab-talk) to be interpreted as HTML in the sticky header, potentially enabling the injection of arbitrary script. A user with the editinterface right, but without the editsitejs right, can execute arbitrary JavaScript in other users’ sessions, potentially gaining unauthorized access to sensitive data or performing unauthorized actions.

Recommendations Update to version 3.9.0 or later.