Описание
starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field
Summary
A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload.
Details
Here's the offending line: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137
This was introduced in 717d16af35b10dab04d434aefddbf991fc8c168c
PoC
- Login
- Go to Special:Preferences
- Set the real name field to a string like
<script>alert("Admin with a propensity for self-XSSes")</script> - Save your settings and use Citizen if it's not being used already
Impact
Any user who can change their name (whether it's through the editmyprivateinfo right or through other means) can add XSS payloads that trigger for themselves only.
Ссылки
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-62r2-gcxr-426x
- https://nvd.nist.gov/vuln/detail/CVE-2024-47536
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/717d16af35b10dab04d434aefddbf991fc8c168c
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/86da3e07718c8d8da6f4310386fef85599606f9b
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137
Пакеты
starcitizentools/citizen-skin
>= 2.6.3, < 2.31.0
2.31.0
EPSS
4.8 Medium
CVSS4
4.6 Medium
CVSS3
CVE ID
Дефекты
Связанные уязвимости
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. This vulnerability is fixed in 2.31.0.
EPSS
4.8 Medium
CVSS4
4.6 Medium
CVSS3