Lucene search
K

8 matches found

OSV
OSV
added 2025/10/20 3:31 p.m.3 views

GHSA-G955-VW6W-V6PP Citizen vulnerable to stored XSS in sticky header button messages

Summary The JS implementation for copying button labels to the sticky header in the Citizen skin unescapes HTML characters, allowing for stored XSS through system messages. Details In the copyButtonAttributes function in stickyHeader.js, when copying the button labels, the innerHTML of the new...

6.5CVSS6AI score0.00409EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/20 3:31 p.m.5 views

EUVD-2025-34930

Citizen vulnerable to stored XSS in sticky header button messages...

6.5CVSS5.7AI score0.00409EPSS
Exploits0References4
Cvelist
Cvelist
added 2025/10/17 8:29 p.m.9 views

CVE-2025-62508 Citizen vulnerable to stored XSS in sticky header button messages

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Citizen from 3.3.0 to 3.9.0 are vulnerable to stored cross-site scripting in the sticky header button message handling. In stickyHeader.js the copyButtonAttributes function assigns innerHTML from a source element’s...

6.5CVSS0.00409EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/06/14 7:21 p.m.5 views

CVE-2025-49575

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the...

6.5CVSS6.2AI score0.0035EPSS
Exploits1References1
Snyk
Snyk
added 2025/06/13 2:7 p.m.2 views

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the citizen-search-noresults-title and citizen-search-noresults-desc system messages being inserted as raw HTML. An attacker can execute arbitrary HTML or JavaScript code in the context of users who view the...

8.5CVSS5.4AI score0.0035EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2025/05/23 3:16 a.m.2 views

CVE-2023-22910

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision- fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs...

5.4CVSS6.5AI score0.00516EPSS
Exploits1References1
NVD
NVD
added 2023/01/20 6:15 p.m.22 views

CVE-2023-22910

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision- fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs...

5.4CVSS5.3AI score0.00516EPSS
Exploits1References1
Prion
Prion
added 2023/01/20 6:15 p.m.42 views

Code injection

An issue was discovered in MediaWiki before 1.35.9, 1.36.x through 1.38.x before 1.38.5, and 1.39.x before 1.39.1. There is XSS in Wikibase date formatting via wikibase-time-precision- fields. This allows JavaScript execution by staff/admin users who do not intentionally have the editsitejs...

4.9CVSS5.3AI score0.00516EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder