Vulnerability Database
299,038
Total vulnerabilities in the database
Citizen skin vulnerable to stored XSS through multiple system messages
Various system messages are inserted by the Citizen skin in multiple places without proper sanitization.
1 - Command Palette Tips
Summary
Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.
Details
The messages are retrieved using the plain() output mode: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L61-L66
currentTip is set to one of these messages: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L69
currentTip is inserted as raw HTML (vue/no-v-html should not be ignored here): https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L3-L4
PoC
- Edit
citizen-command-palette-tip-commands,citizen-command-palette-tip-users,citizen-command-palette-tip-namespaceandcitizen-command-palette-tip-templatesto<img src="" onerror="alert(1)">(script tags don't work here due to the way the HTML is inserted) - Open the command palette
Impact
This impacts wikis where a group has the editinterface but not the editsitejs user right.
2 - Menu Headings
Summary
All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.
Details
The system messages for menu headings are inserted unescaped into raw HTML: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/templates/Menu.mustache#L8-L10
PoC
- Go to any article using citizen with the
uselangparameter set tox-xss - A large number of alerts will be shown for various messages, e.g.:
On the main page of my test wiki, the following messages were shown: navigation, notifications, user-interface-preferences, personaltools, variants, views, associated-pages, cactions and toolbox.
Impact
This impacts wikis where a group has the editinterface but not the editsitejs user right.
3 - User registration date
Summary
Various date messages returned by Language::userDate are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.
Details
The result of $this->lang->userDate( $timestamp, $this->user ) returns unescaped values, but is inserted as raw HTML by Citizen:
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/includes/Components/CitizenComponentUserInfo.php#L55-L60
PoC
- Go to any page using citizen with the uselang parameter set to x-xss and while being logged in
Depending on the registration date of the account you're logged in with, various messages can be shown. In my case, it's
november:
Impact
This impacts wikis where a group has the editinterface but not the editsitejs user right.
4 - Preferences menu headings
Summary
Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.
Details
The innerHtml of the label div is set to the textContent of the label, essentially unsanitizing the system messages:
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/407052e7069bdeae927d6f1a2a1c9a45b473bf9a/resources/skins.citizen.preferences/addPortlet.polyfill.js#L18
PoC
- Edit
citizen-feature-custom-font-size-name(or any other message displayed in a heading in the preferences menu) to<img src="" onerror="alert('citizen-feature-custom-font-size-name')">(script tags don't work here due to the way the HTML is inserted) - Open the preferences menu
5 - No results messages
Summary
The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.
Details
The system messages are inserted as raw HTML by the mustache template: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/407052e7069bdeae927d6f1a2a1c9a45b473bf9a/resources/skins.citizen.search/templates/TypeaheadPlaceholder.mustache#L8-L9
PoC
- Edit
citizen-search-noresults-titleandcitizen-search-noresults-descto<img src="" onerror="alert('citizen-search-noresults-title')">and<img src="" onerror="alert('citizen-search-noresults-desc')">(script tags don't work here due to the way the HTML is inserted) - Open the search bar and search for a page that doesn't exist to get the "no results" messages to show up
Impact
This impacts wikis where a group has the editinterface but not the editsitejs user right.
| Software | From | Fixed in |
|---|---|---|
starcitizentools / citizen-skin
|
2.4.2 | 3.3.1 |
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/54c8717d45ce1594918f11cb9ce5d0ccd8dfee65
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/93c36ac778397e0e7c46cf7adb1e5d848265f1bd
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-4c2h-67qq-vm87
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime