CVE-2024-47536
MEDIUM4.6EPSS 0.80%starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field
Description
### Summary A user with the `editmyprivateinfo` right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. ### Details Here's the offending line: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137 This was introduced in 717d16af35b10dab04d434aefddbf991fc8c168c ### PoC 1. Login 2. Go to Special:Preferences 3. Set the real name field to a string like `<script>alert("Admin with a propensity for self-XSSes")</script>` 4. Save your settings and use Citizen if it's not being used already  ### Impact Any user who can change their name (whether it's through the editmyprivateinfo right or through other means) can add XSS payloads that trigger for themselves only.
Affected packages (1)
- Packagist/starcitizentools/citizen-skin>= 2.6.3, < 2.31.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N |
| osv | CVSS 3.1 | MEDIUM4.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-47536
- PATCHhttps://github.com/StarCitizenTools/mediawiki-skins-Citizen
- WEBhttps://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137
- WEBhttps://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/717d16af35b10dab04d434aefddbf991fc8c168c
- WEBhttps://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/86da3e07718c8d8da6f4310386fef85599606f9b
- WEBhttps://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-62r2-gcxr-426x