Key Information Vulnerability Overview Vulnerability Type: Stored XSS (Cross-Site Scripting) Location: Sticky Header Button Messages Affected Versions Affected Versions: >= 3.3.0 (fbb1d4fe9627281567706f3f6fc39a42c16fdc4) Fixed Versions: >= e006923c6dbf113c9a025ca186ecc09fe7b93a15 Description Summary: In the Citizen skin, the JavaScript implementation for copying button labels to the sticky header does not escape HTML characters, allowing for stored XSS attacks via system messages. Details: The function, when copying button labels, sets the of the old element as the of the new element, causing unescaped HTML characters to be interpreted as HTML. PoC 1. Edit an affected message (e.g., , , , ) and insert the following payload: 2. Access any wiki page using the Citizen skin. Impact This vulnerability affects wikis where users have permission but not . By default, the sysop group falls into this category. Additional Information Severity: Moderate CVSS v3 Base Metrics: - Attack Vector: Network - Attack Complexity: Low - Required Privileges: High - User Interaction: None - Scope: Unchanged - Confidentiality: High - Integrity: High - Availability: None CVE ID: CVE-2025-62508 Weakness: CWE-79 Reporter: SomeMWDev