Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-g3cp-pq72-hjpv

GitHub Security Advisory

starcitizentools/citizen-skin allows stored XSS in menu heading message

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Summary
All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

### Details
The system messages for menu headings are inserted unescaped into raw HTML:
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/templates/Menu.mustache#L8-L10

### PoC
1. Go to any article using citizen with the `uselang` parameter set to `x-xss`
2. A large number of alerts will be shown for various messages, e.g.:
![image](https://github.com/user-attachments/assets/6a18ec77-d2a0-4a0d-b4aa-83359304659a)
![image](https://github.com/user-attachments/assets/eaadb8e1-58b6-41be-90d2-829c50cf75ac)

On the main page of my test wiki, the following messages were shown: `navigation`, `notifications`, `user-interface-preferences`, `personaltools`, `variants`, `views`, `associated-pages`, `cactions` and `toolbox`.

### Impact
This impacts wikis where a group has the `editinterface` but not the `editsitejs` user right.

Affected Packages

Packagist starcitizentools/citizen-skin
Affected versions: 2.4.2 (fixed in 3.3.1)

Related CVEs

CVE-2025-49579

Key Information

GHSA ID
GHSA-g3cp-pq72-hjpv
Published
June 13, 2025 2:08 PM
Last Modified
June 13, 2025 2:08 PM
CVSS Score
5.0 /10
Primary Ecosystem
Packagist
Primary Package
starcitizentools/citizen-skin
GitHub Reviewed
✓ Yes

Dataset

Last updated: June 18, 2025 6:25 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.