starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field
Moderate severity
GitHub Reviewed
Published
Sep 28, 2024
in
StarCitizenTools/mediawiki-skins-Citizen
•
Updated Sep 30, 2024
Package
Affected versions
>= 2.6.3, < 2.31.0
Patched versions
2.31.0
Description
Published by the National Vulnerability Database
Sep 30, 2024
Published to the GitHub Advisory Database
Sep 30, 2024
Reviewed
Sep 30, 2024
Last updated
Sep 30, 2024
Summary
A user with the
editmyprivateinfo
right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload.Details
Here's the offending line:
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137
This was introduced in 717d16af35b10dab04d434aefddbf991fc8c168c
PoC
<script>alert("Admin with a propensity for self-XSSes")</script>
Impact
Any user who can change their name (whether it's through the editmyprivateinfo right or through other means) can add XSS payloads that trigger for themselves only.
References