CVE-2025-53369 – starcitizentools/short-description
Package
Manager: composer
Name: starcitizentools/short-description
Vulnerable Version: >=4.0.0 <4.0.1
Severity
Level: High
CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
EPSS: 0.00067 pctl0.21011
Details
Citizen Short Description stored XSS vulnerability through wikitext ### Summary Short descriptions are not properly sanitized by the ShortDescription before being inserted as HTML using `mw.util.addSubtitle`, allowing any user to insert arbitrary HTML into the DOM by editing a page. ### Details The description provided by the user via the `{{SHORTDESC:}}` parser function is insufficiently sanitized by the `sanitize()` function, as html entities are decoded: https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/includes/Hooks/ParserHooks.php#L147-L159 Via JS, the short description is then passed to `mw.util.addSubtitle`, which inserts it as raw HTML: https://github.com/StarCitizenTools/mediawiki-extensions-ShortDescription/blob/7244b1e8b5cb6dbd7e546c5be7fed8a56e33d065/modules/ext.shortDescription.js#L8 https://github.com/wikimedia/mediawiki/blob/96372101b3c579d9992e8a31a3ccd90a937cac47/resources/src/mediawiki.util/util.js#L552-L563 ### PoC 1. Enable ShortDescription 2. Make sure `$wgShortDescriptionEnableTagline` is set to `true` (this is the default) 3. Create a page and insert the following wikitext: `{{SHORTDESC:<img src="" onerror="alert('shortdescription xss')">}}` 4. Visit the page   ### Impact Arbitrary HTML can be inserted into the DOM by any user, allowing for JavaScript to be executed.
Metadata
Created: 2025-07-03T21:38:37Z
Modified: 2025-07-03T21:38:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-p85q-mww9-gwqf/GHSA-p85q-mww9-gwqf.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-p85q-mww9-gwqf
Finding: F425
Auto approve: 1