GHSA-86xf-2mgp-gv3g

Advisory Details

### Summary
The `citizen-search-noresults-title` and `citizen-search-noresults-desc` system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

### Details
The system messages are inserted as raw HTML by the mustache template:
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/407052e7069bdeae927d6f1a2a1c9a45b473bf9a/resources/skins.citizen.search/templates/TypeaheadPlaceholder.mustache#L8-L9

### PoC
1. Edit `citizen-search-noresults-title` and `citizen-search-noresults-desc` to `<img src="" onerror="alert('citizen-search-noresults-title')">` and `<img src="" onerror="alert('citizen-search-noresults-desc')">` (script tags don't work here due to the way the HTML is inserted)
2. Open the search bar and search for a page that doesn't exist to get the "no results" messages to show up

![image](https://github.com/user-attachments/assets/cf2963bc-5c86-4a4d-8574-de92d89d6d81)
![image](https://github.com/user-attachments/assets/44839a7e-c08c-4df9-bd84-0f5863f64163)

### Impact
This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right.

Affected Packages

Packagist starcitizentools/citizen-skin

Affected versions: 2.31.0 (fixed in 3.3.1)

Related CVEs

CVE-2025-49576

starcitizentools/citizen-skin allows stored XSS in search no result messages

Advisory Details

Affected Packages

Related CVEs

Key Information

Dataset