Описание
starcitizentools/citizen-skin allows stored XSS in menu heading message
Summary
All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.
Details
The system messages for menu headings are inserted unescaped into raw HTML: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/templates/Menu.mustache#L8-L10
PoC
- Go to any article using citizen with the
uselangparameter set tox-xss - A large number of alerts will be shown for various messages, e.g.:
On the main page of my test wiki, the following messages were shown: navigation, notifications, user-interface-preferences, personaltools, variants, views, associated-pages, cactions and toolbox.
Impact
This impacts wikis where a group has the editinterface but not the editsitejs user right.
Ссылки
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-g3cp-pq72-hjpv
- https://nvd.nist.gov/vuln/detail/CVE-2025-49579
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/54c8717d45ce1594918f11cb9ce5d0ccd8dfee65
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd
Пакеты
starcitizentools/citizen-skin
>= 2.4.2, < 3.3.1
3.3.1
Связанные уязвимости
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. This vulnerability is fixed in 3.3.1.