Vulnerability-Lookup

CVE-2025-49575 (GCVE-0-2025-49575)

Vulnerability from cvelistv5 – Published: 2025-06-12 18:45 – Updated: 2025-06-12 18:58

Title

Citizen allows stored XSS in Command Palette tip messages

Summary

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

GitHub_M

References

3 references

URL	Tags
https://github.com/StarCitizenTools/mediawiki-ski…	x_refsource_CONFIRM
https://github.com/StarCitizenTools/mediawiki-ski…	x_refsource_MISC
https://github.com/StarCitizenTools/mediawiki-ski…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
StarCitizenTools	mediawiki-skins-Citizen	Affected: >= 4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5, < 93c36ac778397e0e7c46cf7adb1e5d848265f1bd Affected: >= 3.2.0, < 3.3.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-49575",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-12T18:57:54.285326Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-12T18:58:25.445Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "mediawiki-skins-Citizen",
          "vendor": "StarCitizenTools",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5, \u003c 93c36ac778397e0e7c46cf7adb1e5d848265f1bd"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.2.0, \u003c 3.3.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-12T18:50:35.436Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-4c2h-67qq-vm87",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-4c2h-67qq-vm87"
        },
        {
          "name": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5"
        },
        {
          "name": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd"
        }
      ],
      "source": {
        "advisory": "GHSA-4c2h-67qq-vm87",
        "discovery": "UNKNOWN"
      },
      "title": "Citizen allows stored XSS in Command Palette tip messages"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-49575",
    "datePublished": "2025-06-12T18:45:23.363Z",
    "dateReserved": "2025-06-06T15:44:21.555Z",
    "dateUpdated": "2025-06-12T18:58:25.445Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-49575",
      "date": "2026-05-28",
      "epss": "0.00156",
      "percentile": "0.36"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-49575\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-06-12T19:15:20.160\",\"lastModified\":\"2025-08-22T18:59:49.710\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.\"},{\"lang\":\"es\",\"value\":\"Citizen es una interfaz de MediaWiki que integra las extensiones en la experiencia cohesiva. Se insertan m\u00faltiples mensajes del sistema en CommandPaletteFooter como HTML sin formato, lo que permite que cualquiera que pueda editarlos inserte HTML arbitrario en el DOM. Esto afecta a las wikis donde un grupo tiene el permiso de usuario `editinterface` pero no el de `editsitejs`. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 3.3.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:starcitizen.tools:citizen:*:*:*:*:*:mediawiki:*:*\",\"versionEndExcluding\":\"3.3.1\",\"matchCriteriaId\":\"02337D0B-F229-4068-85B2-AB0A2C13C77E\"}]}]}],\"references\":[{\"url\":\"https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-4c2h-67qq-vm87\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-49575\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-12T18:57:54.285326Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-12T18:58:01.259Z\"}}], \"cna\": {\"title\": \"Citizen allows stored XSS in Command Palette tip messages\", \"source\": {\"advisory\": \"GHSA-4c2h-67qq-vm87\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"StarCitizenTools\", \"product\": \"mediawiki-skins-Citizen\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5, \u003c 93c36ac778397e0e7c46cf7adb1e5d848265f1bd\"}, {\"status\": \"affected\", \"version\": \"\u003e= 3.2.0, \u003c 3.3.1\"}]}], \"references\": [{\"url\": \"https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-4c2h-67qq-vm87\", \"name\": \"https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-4c2h-67qq-vm87\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5\", \"name\": \"https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd\", \"name\": \"https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-06-12T18:50:35.436Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-49575\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-12T18:58:25.445Z\", \"dateReserved\": \"2025-06-06T15:44:21.555Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-06-12T18:45:23.363Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2025-49575

Vulnerability from fkie_nvd - Published: 2025-06-12 19:15 - Updated: 2025-08-22 18:59

Severity

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5	Patch
security-advisories@github.com	https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd	Patch
security-advisories@github.com	https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-4c2h-67qq-vm87	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	starcitizen.tools	citizen	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:starcitizen.tools:citizen:*:*:*:*:*:mediawiki:*:*",
              "matchCriteriaId": "02337D0B-F229-4068-85B2-AB0A2C13C77E",
              "versionEndExcluding": "3.3.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1."
    },
    {
      "lang": "es",
      "value": "Citizen es una interfaz de MediaWiki que integra las extensiones en la experiencia cohesiva. Se insertan m\u00faltiples mensajes del sistema en CommandPaletteFooter como HTML sin formato, lo que permite que cualquiera que pueda editarlos inserte HTML arbitrario en el DOM. Esto afecta a las wikis donde un grupo tiene el permiso de usuario `editinterface` pero no el de `editsitejs`. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 3.3.1."
    }
  ],
  "id": "CVE-2025-49575",
  "lastModified": "2025-08-22T18:59:49.710",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-06-12T19:15:20.160",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-4c2h-67qq-vm87"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-4C2H-67QQ-VM87

Vulnerability from github – Published: 2025-06-11 19:59 – Updated: 2025-06-13 03:43

Summary

Citizen skin vulnerable to stored XSS through multiple system messages

Details

Summary

Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The messages are retrieved using the plain() output mode: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L61-L66 currentTip is set to one of these messages: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L69 currentTip is inserted as raw HTML (vue/no-v-html should not be ignored here): https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L3-L4

PoC

Edit citizen-command-palette-tip-commands, citizen-command-palette-tip-users, citizen-command-palette-tip-namespace and citizen-command-palette-tip-templates to <img src="" onerror="alert(1)"> (script tags don't work here due to the way the HTML is inserted)
Open the command palette

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

Severity

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "starcitizentools/citizen-skin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.4.2"
            },
            {
              "fixed": "3.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-49575"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-11T19:59:54Z",
    "nvd_published_at": "2025-06-12T19:15:20Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nMultiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.\n\n### Details\nThe messages are retrieved using the `plain()` output mode: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L61-L66\n`currentTip` is set to one of these messages: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L69\n`currentTip` is inserted as raw HTML (`vue/no-v-html` should *not* be ignored here): https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L3-L4\n\n### PoC\n1. Edit `citizen-command-palette-tip-commands`, `citizen-command-palette-tip-users`, `citizen-command-palette-tip-namespace` and `citizen-command-palette-tip-templates` to `\u003cimg src=\"\" onerror=\"alert(1)\"\u003e` (script tags don\u0027t work here due to the way the HTML is inserted)\n2. Open the command palette\n![image](https://github.com/user-attachments/assets/f07b238b-1ac1-4781-8d03-db755ba04546)\n\n### Impact\nThis impacts wikis where a group has the `editinterface` but not the `editsitejs` user right.",
  "id": "GHSA-4c2h-67qq-vm87",
  "modified": "2025-06-13T03:43:58Z",
  "published": "2025-06-11T19:59:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-4c2h-67qq-vm87"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49575"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/4fa69e1d062dca7e407cc0530cf1da3e2baaf0b5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/54c8717d45ce1594918f11cb9ce5d0ccd8dfee65"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Citizen skin vulnerable to stored XSS through multiple system messages"
}

WID-SEC-W-2025-1525

Vulnerability from csaf_certbund - Published: 2025-07-09 22:00 - Updated: 2025-07-23 22:00

Summary

MediaWiki Extensions und Skins: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: MediaWiki ist ein freies Wiki, das ursprünglich für den Einsatz auf Wikipedia entwickelt wurde.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in MediaWiki ausnutzen, um SQL-Injection- und XSS-Angriffe durchzuführen, Sicherheitsmechanismen zu umgehen, vertrauliche Informationen offenzulegen oder sich unbefugt höhere Berechtigungen zu verschaffen.

Betroffene Betriebssysteme: - Linux - Sonstiges - UNIX - Windows

CVE-2025-32956

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-32964

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-43861

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-49575

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-49576

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-49577

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-49578

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-49579

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53093

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53368

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53369

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53370

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53478

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53479

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53480

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53481

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53482

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53483

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53484

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53485

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53486

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53487

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53488

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53489

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53490

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53491

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53492

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53493

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53494

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53495

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53496

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53497

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53498

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53499

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53500

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53501

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-53502

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-6926

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-7056

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-7057

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-7362

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

CVE-2025-7363

Affected products

Known affected 4 products

Product	Identifier	Version
Open Source MediaWiki <1.43.2 Open Source / MediaWiki		<1.43.2
Open Source MediaWiki <1.42.7 Open Source / MediaWiki		<1.42.7
Debian Linux Debian	`cpe:/o:debian:debian_linux:-`	—
Open Source MediaWiki <1.39.13 Open Source / MediaWiki		<1.39.13

References

4 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://lists.wikimedia.org/hyperkitty/list/media…	external
https://lists.debian.org/debian-lts-announce/2025…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "MediaWiki ist ein freies Wiki, das urspr\u00fcnglich f\u00fcr den Einsatz auf Wikipedia entwickelt wurde.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in MediaWiki ausnutzen, um SQL-Injection- und XSS-Angriffe durchzuf\u00fchren, Sicherheitsmechanismen zu umgehen, vertrauliche Informationen offenzulegen oder sich unbefugt h\u00f6here Berechtigungen zu verschaffen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges\n- UNIX\n- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1525 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-1525.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1525 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1525"
      },
      {
        "category": "external",
        "summary": "MediaWiki Extensions and Skins Security Release Supplement vom 2025-07-09",
        "url": "https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/B757OC4UOPKOO4EYXNPUKQY2BS4CQE2E/"
      },
      {
        "category": "external",
        "summary": "Debian Security Advisory DLA-4249 vom 2025-07-23",
        "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00012.html"
      }
    ],
    "source_lang": "en-US",
    "title": "MediaWiki Extensions und Skins: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-07-23T22:00:00.000+00:00",
      "generator": {
        "date": "2025-07-24T07:52:25.673+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.4.0"
        }
      },
      "id": "WID-SEC-W-2025-1525",
      "initial_release_date": "2025-07-09T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-07-09T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2025-07-23T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Debian aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Debian Linux",
            "product": {
              "name": "Debian Linux",
              "product_id": "2951",
              "product_identification_helper": {
                "cpe": "cpe:/o:debian:debian_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Debian"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.39.13",
                "product": {
                  "name": "Open Source MediaWiki \u003c1.39.13",
                  "product_id": "T044971"
                }
              },
              {
                "category": "product_version",
                "name": "1.39.13",
                "product": {
                  "name": "Open Source MediaWiki 1.39.13",
                  "product_id": "T044971-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mediawiki:mediawiki:1.39.13"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.42.7",
                "product": {
                  "name": "Open Source MediaWiki \u003c1.42.7",
                  "product_id": "T044972"
                }
              },
              {
                "category": "product_version",
                "name": "1.42.7",
                "product": {
                  "name": "Open Source MediaWiki 1.42.7",
                  "product_id": "T044972-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mediawiki:mediawiki:1.42.7"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.43.2",
                "product": {
                  "name": "Open Source MediaWiki \u003c1.43.2",
                  "product_id": "T044973"
                }
              },
              {
                "category": "product_version",
                "name": "1.43.2",
                "product": {
                  "name": "Open Source MediaWiki 1.43.2",
                  "product_id": "T044973-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:mediawiki:mediawiki:1.43.2"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "MediaWiki"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-32956",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-32956"
    },
    {
      "cve": "CVE-2025-32964",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-32964"
    },
    {
      "cve": "CVE-2025-43861",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-43861"
    },
    {
      "cve": "CVE-2025-49575",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-49575"
    },
    {
      "cve": "CVE-2025-49576",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-49576"
    },
    {
      "cve": "CVE-2025-49577",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-49577"
    },
    {
      "cve": "CVE-2025-49578",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-49578"
    },
    {
      "cve": "CVE-2025-49579",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-49579"
    },
    {
      "cve": "CVE-2025-53093",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53093"
    },
    {
      "cve": "CVE-2025-53368",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53368"
    },
    {
      "cve": "CVE-2025-53369",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53369"
    },
    {
      "cve": "CVE-2025-53370",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53370"
    },
    {
      "cve": "CVE-2025-53478",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53478"
    },
    {
      "cve": "CVE-2025-53479",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53479"
    },
    {
      "cve": "CVE-2025-53480",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53480"
    },
    {
      "cve": "CVE-2025-53481",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53481"
    },
    {
      "cve": "CVE-2025-53482",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53482"
    },
    {
      "cve": "CVE-2025-53483",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53483"
    },
    {
      "cve": "CVE-2025-53484",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53484"
    },
    {
      "cve": "CVE-2025-53485",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53485"
    },
    {
      "cve": "CVE-2025-53486",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53486"
    },
    {
      "cve": "CVE-2025-53487",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53487"
    },
    {
      "cve": "CVE-2025-53488",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53488"
    },
    {
      "cve": "CVE-2025-53489",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53489"
    },
    {
      "cve": "CVE-2025-53490",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53490"
    },
    {
      "cve": "CVE-2025-53491",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53491"
    },
    {
      "cve": "CVE-2025-53492",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53492"
    },
    {
      "cve": "CVE-2025-53493",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53493"
    },
    {
      "cve": "CVE-2025-53494",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53494"
    },
    {
      "cve": "CVE-2025-53495",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53495"
    },
    {
      "cve": "CVE-2025-53496",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53496"
    },
    {
      "cve": "CVE-2025-53497",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53497"
    },
    {
      "cve": "CVE-2025-53498",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53498"
    },
    {
      "cve": "CVE-2025-53499",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53499"
    },
    {
      "cve": "CVE-2025-53500",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53500"
    },
    {
      "cve": "CVE-2025-53501",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53501"
    },
    {
      "cve": "CVE-2025-53502",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-53502"
    },
    {
      "cve": "CVE-2025-6926",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-6926"
    },
    {
      "cve": "CVE-2025-7056",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-7056"
    },
    {
      "cve": "CVE-2025-7057",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-7057"
    },
    {
      "cve": "CVE-2025-7362",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-7362"
    },
    {
      "cve": "CVE-2025-7363",
      "product_status": {
        "known_affected": [
          "T044973",
          "T044972",
          "2951",
          "T044971"
        ]
      },
      "release_date": "2025-07-09T22:00:00.000+00:00",
      "title": "CVE-2025-7363"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2025-49575 (GCVE-0-2025-49575)

FKIE_CVE-2025-49575

GHSA-4C2H-67QQ-VM87

Summary

Details

PoC

Impact

WID-SEC-W-2025-1525

Tags

Sightings

Nomenclature