SomeRandomDeveloper

12 exploits Active since Jun 2025
CVE-2025-49577 WRITEUP MEDIUM WRITEUP
starcitizen.tools/citizen < 3.3.1 - Stored Cross-Site Scripting via Preferences Messages
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1.
CVSS 6.5
CVE-2025-59839 WRITEUP HIGH WRITEUP
EmbedVideo < 4.0.0 - Stored Cross-Site Scripting via Arbitrary HTML Attributes
The EmbedVideo Extension is a MediaWiki extension which adds a parser function called #ev and various parser tags for embedding video clips from various video sharing services. In versions 4.0.0 and prior, the EmbedVideo extension allows adding arbitrary attributes to an HTML element, allowing for stored XSS through wikitext. This issue has been patched via commit 4e075d3.
CVSS 8.6
CVE-2025-49575 WRITEUP MEDIUM WRITEUP
citizen < 3.3.1 - Stored Cross-Site Scripting via CommandPaletteFooter System Messages
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.
CVSS 6.5
CVE-2025-49576 WRITEUP MEDIUM WRITEUP
Citizen < 3.3.1 - Stored Cross-Site Scripting via Search No-Results Messages
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1.
CVSS 6.5
CVE-2025-49578 WRITEUP MEDIUM WRITEUP
Citizen < 3.3.1 - Stored Cross-Site Scripting via Language::userDate Date Messages
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various date messages returned by `Language::userDate` are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.
CVSS 6.5
CVE-2025-49579 WRITEUP MEDIUM WRITEUP
Citizen < 3.3.1 - Stored Cross-Site Scripting via Menu.mustache Template
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.
CVSS 6.5
CVE-2025-53368 WRITEUP HIGH WRITEUP
Citizen 1.9.4-3.4.0 - Stored Cross-Site Scripting via Old Search Bar
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, page descriptions are inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar. Any user with page editing privileges can insert cross-site scripting (XSS) payloads into the DOM for other users who are searching for specific pages. This issue has been patched in version 3.4.0.
CVSS 8.6
CVE-2025-53369 WRITEUP HIGH WRITEUP
ShortDescription 4.0.0 - Stored Cross-Site Scripting via mw.util.addSubtitle
Short Description is a MediaWiki extension that provides local short description support. In version 4.0.0, short descriptions are not properly sanitized before being inserted as HTML using mw.util.addSubtitle, allowing any user to insert arbitrary HTML into the DOM by editing a page. This issue has been patched in version 4.0.1.
CVSS 8.6
CVE-2025-53370 WRITEUP HIGH WRITEUP
Citizen 1.9.4-3.3.9 - Stored Cross-Site Scripting via ShortDescription Extension
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, short descriptions set via the ShortDescription extension are inserted as raw HTML by the Citizen skin, allowing any user to insert arbitrary HTML into the DOM by editing a page. This issue has been patched in version 3.4.0.
CVSS 8.6
CVE-2025-53371 WRITEUP CRITICAL WRITEUP
DiscordNotifications - Server-Side Request Forgery and Denial of Service via Webhook URL
DiscordNotifications is an extension for MediaWiki that sends notifications of actions in your Wiki to a Discord channel. DiscordNotifications allows sending requests via curl and file_get_contents to arbitrary URLs set via $wgDiscordIncomingWebhookUrl and $wgDiscordAdditionalIncomingWebhookUrls. This allows for DOS by causing the server to read large files. SSRF is also possible if there are internal unprotected APIs that can be accessed using HTTP POST requests, which could also possibly lead to RCE. This vulnerability is fixed in commit 1f20d850cbcce5b15951c7c6127b87b927a5415e.
CVSS 9.1
CVE-2025-59332 WRITEUP HIGH WRITEUP
3DAlloy 1.0-1.8 - Stored Cross-Site Scripting via Custom Canvas Attributes
3DAlloy is a lightWeight 3D-viewer for MediaWiki. From 1.0 through 1.8, the <3d> parser tag and the {{#3d}} parser function allow users to provide custom attributes that are then appended to the canvas HTML element that is being output by the extension. The attributes are not sanitized, which means that arbitrary JavaScript can be inserted and executed.
CVSS 8.6
CVE-2025-62508 WRITEUP MEDIUM WRITEUP
Citizen Skin 3.3.0-3.9.0 - Stored Cross-Site Scripting in Sticky Header Button Message Handling
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Citizen from 3.3.0 to 3.9.0 are vulnerable to stored cross-site scripting in the sticky header button message handling. In stickyHeader.js the copyButtonAttributes function assigns innerHTML from a source element’s textContent when copying button labels. This causes escaped HTML in system message content (such as citizen-share, citizen-view-history, citizen-view-edit, and nstab-talk) to be interpreted as HTML in the sticky header, allowing injection of arbitrary script by a user with the ability to edit interface messages. The vulnerability allows a user with the editinterface right but without the editsitejs right (by default the sysop group has editinterface but may not have editsitejs) to execute arbitrary JavaScript in other users’ sessions, enabling unauthorized access to sensitive data or actions. The issue is fixed in 3.9.0.
CVSS 6.5