CVE-2025-49578

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various date messages returned by Language::userDate are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the...

CVE-2025-4278

An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions html injection in new search page could lead to account takeover...

BIT-GITLAB-2025-4278 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions html injection in new search page could lead to account takeover...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the userDate function. An attacker can inject arbitrary HTML into the DOM by editing interface messages that are rendered as raw HTML. This is only exploitable if a user has the editinterface right but not t...

GHSA-JWR7-992G-68MH starcitizentools/citizen-skin allows stored XSS in preference menu heading messages

Summary Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. Details The innerHtml of the label div is set to the textContent of the label, essentially unsanitizing the system messages:...

GHSA-86XF-2MGP-GV3G starcitizentools/citizen-skin allows stored XSS in search no result messages

Summary The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. Details The system messages are inserted as raw HTML by the mustache template:...

FreeBSD : Gitlab -- Vulnerabilities (ae028662-475e-11f0-9ca4-2cf05da270f3)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the ae028662-475e-11f0-9ca4-2cf05da270f3 advisory. Gitlab reports: HTML injection impacts GitLab CE/EE Cross-site scripting issue impacts GitLab...

CVE-2025-49575

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the...

CVE-2025-49578

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various date messages returned by Language::userDate are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the...

CVE-2025-49576 Citizen allows stored XSS in search no result messages

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerabilit...

CVE-2025-49576

Summary (mode C): CVE-2025-49576 affects the Citizen MediaWiki skin (StarCitizenTools) used in Wikis that employ the Citizen skin. The vulnerability arises because the system messages citizen-search-noresults-title and citizen-search-noresults-desc are inserted into raw HTML, allowing an attacker...

CVE-2025-49578 Citizen allows stored XSS in user registration date message

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various date messages returned by Language::userDate are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the...

CVE-2025-49579 Citizen allows stored XSS in menu heading message

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group h...

CVE-2025-49579

CVE-2025-49579 affects the Citizen MediaWiki skin. The vulnerability arises because all system messages in Menu.mustache are inserted as raw HTML, enabling stored XSS when a user with editinterface but lacking editsitejs can edit messages. Affected versions are prior to Citizen 3.3.1, with fixed ...

CVE-2025-49577

Citizen is a MediaWiki skin; multiple connected sources describe a stored XSS vulnerability in the preference menu headings caused by unsanitized insertion of messages into raw HTML. Affected versions are prior to 3.3.1, and the issue is fixed in 3.3.1. Remediation: upgrade citizen-skin to versio...

CVE-2025-4278

An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions html injection in new search page could lead to account takeover...

CVE-2025-4278 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions html injection in new search page could lead to account takeover...

CVE-2025-4278 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions html injection in new search page could lead to account takeover...

CVE-2025-4278

CVE-2025-4278 affects GitLab CE/EE, with all versions starting from 18.0 up to, but not including, 18.0.2. The issue is an HTML injection vulnerability in the new search page that under certain conditions could lead to an account takeover. The available connected documents consistently describe t...

CVE-2025-4278 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions starting with 18.0 before 18.0.2. Under certain conditions html injection in new search page could lead to account takeover...