Описание
starcitizentools/citizen-skin allows stored XSS in search no result messages
Summary
The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.
Details
The system messages are inserted as raw HTML by the mustache template: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/407052e7069bdeae927d6f1a2a1c9a45b473bf9a/resources/skins.citizen.search/templates/TypeaheadPlaceholder.mustache#L8-L9
PoC
- Edit
citizen-search-noresults-titleandcitizen-search-noresults-descto<img src="" onerror="alert('citizen-search-noresults-title')">and<img src="" onerror="alert('citizen-search-noresults-desc')">(script tags don't work here due to the way the HTML is inserted) - Open the search bar and search for a page that doesn't exist to get the "no results" messages to show up
Impact
This impacts wikis where a group has the editinterface but not the editsitejs user right.
Ссылки
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-86xf-2mgp-gv3g
- https://nvd.nist.gov/vuln/detail/CVE-2025-49576
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/a0296afaedbe1a277337a2d8f1da83cb3a79b9ab
Пакеты
starcitizentools/citizen-skin
>= 2.31.0, < 3.3.1
3.3.1
Связанные уязвимости
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This vulnerability is fixed in 3.3.1.