CVE-2025-62508

描述

### Summary The JS implementation for copying button labels to the sticky header in the Citizen skin unescapes HTML characters, allowing for stored XSS through system messages. ### Details In the `copyButtonAttributes` function in `stickyHeader.js`, when copying the button labels, the `innerHTML` of the new element is set to the `textContent` of the old element: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/f4cbcecf5aca0ae69966b23d4983f9cb5033f319/resources/skins.citizen.scripts/stickyHeader.js#L29-L41 This unescapes any escaped HTML characters and causes the contents of the system messages to be interpreted as HTML. ### PoC 1. Edit any of the affected messages (`citizen-share`, `citizen-view-history`, `citizen-view-edit`, `nstab-talk`) to the following payload: `<img src="" onerror="alert('Sticky Header Button XSS')">`. 2. Visit any mainpage article in the wiki using the Citizen skin. <img width="495" height="228" alt="image" src="https://github.com/user-attachments/assets/ac75b8e1-b181-4335-9526-17d6b6f8518e" /> <img width="569" height="157" alt="image" src="https://github.com/user-attachments/assets/c052edb9-ff68-4869-9c66-3ec85e7ff68a" /> ### Impact This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. By default, this is the case for the `sysop` group.

受影響套件(1)

• Packagist/starcitizentools/citizen-skin>= 3.3.0, < 3.9.0

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-62508
• PATCHhttps://github.com/StarCitizenTools/mediawiki-skins-Citizen
• WEBhttps://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/e006923c6dbf113c9a025ca186ecc09fe7b93a15
• WEBhttps://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/fbb1d4fe9627281567706f3f6fc99a42ce16fdc4
• WEBhttps://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-g955-vw6w-v6pp