CVE-2024-47536 – starcitizentools/citizen-skin

Package

Manager: composer
Name: starcitizentools/citizen-skin
Vulnerable Version: >=2.6.3 <2.31.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00056 pctl0.17464

Details

starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field ### Summary A user with the `editmyprivateinfo` right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. ### Details Here's the offending line: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137 This was introduced in 717d16af35b10dab04d434aefddbf991fc8c168c ### PoC 1. Login 2. Go to Special:Preferences 3. Set the real name field to a string like `<script>alert("Admin with a propensity for self-XSSes")</script>` 4. Save your settings and use Citizen if it's not being used already  ### Impact Any user who can change their name (whether it's through the editmyprivateinfo right or through other means) can add XSS payloads that trigger for themselves only.

Metadata

Created: 2024-09-30T17:48:33Z
Modified: 2024-09-30T20:11:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-62r2-gcxr-426x/GHSA-62r2-gcxr-426x.json
CWE IDs: ["CWE-79", "CWE-80"]
Alternative ID: GHSA-62r2-gcxr-426x
Finding: F425
Auto approve: 1