Описание
Citizen vulnerable to Stored XSS through short descriptions
Summary
Short descriptions set via the ShortDescription extension are inserted as raw HTML by the Citizen skin, allowing any user to insert arbitrary HTML into the DOM by editing a page.
Details
The shortdesc property, which contains unsanitized user input, is retrieved from the OutputPage and returned as the tagline:
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/0d8a44011e02a081618359a1e90f462478e807aa/includes/Components/CitizenComponentPageHeading.php#L249-L251
The tagline is then provided to the template data:
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/0d8a44011e02a081618359a1e90f462478e807aa/includes/Components/CitizenComponentPageHeading.php#L270-L275
The template then inserts the tagline into raw HTML without doing any escaping:
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/0d8a44011e02a081618359a1e90f462478e807aa/templates/PageHeading.mustache#L12
PoC
- Enable Citizen and ShortDescription
- Add
{{SHORTDESC:<img src="" onerror="alert('citizen shortdescription xss')">}}to a page - Visit the page
Impact
Arbitrary HTML can be inserted into the DOM by any user, allowing for JavaScript to be executed.
Ссылки
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-prmv-7r8c-794g
- https://nvd.nist.gov/vuln/detail/CVE-2025-53370
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/aedbceb3380bb48db6b59e272fc187529c71c8ca
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/c85a40bddc8651fff66df83a72debddcb34f0521
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/releases/tag/v3.4.0
Пакеты
starcitizentools/citizen-skin
>= 1.9.4, < 3.4.0
3.4.0
Связанные уязвимости
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, short descriptions set via the ShortDescription extension are inserted as raw HTML by the Citizen skin, allowing any user to insert arbitrary HTML into the DOM by editing a page. This issue has been patched in version 3.4.0.