CVE-2024-47536

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-47536
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-47536.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-47536
Aliases
Published
2024-09-30T17:09:40.192Z
Modified
2025-12-05T06:33:04.114161Z
Severity
  • 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field
Details

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. This vulnerability is fixed in 2.31.0.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79",
        "CWE-80"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47536.json"
}
References

Affected packages

Git / github.com/starcitizentools/mediawiki-skins-citizen

Affected ranges

Type
GIT
Repo
https://github.com/starcitizentools/mediawiki-skins-citizen
Events
Introduced
cb15810de98a77ea652afdfe2d9e6d366e499324
Fixed
d4e65977b505bb3915969805cdd5c004325f5e70

Affected versions

v2.*

v2.10.0
v2.10.1
v2.11.0
v2.11.1
v2.12.0
v2.13.0
v2.13.1
v2.13.2
v2.13.3
v2.13.4
v2.13.5
v2.14.0
v2.14.1
v2.15.0
v2.15.1
v2.16.0
v2.16.1
v2.17.0
v2.17.1
v2.17.2
v2.18.0
v2.18.1
v2.19.0
v2.20.0
v2.21.0
v2.22.0
v2.22.1
v2.23.0
v2.24.0
v2.25.0
v2.26.0
v2.27.0
v2.28.0
v2.29.0
v2.30.0
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.7.0
v2.7.1
v2.7.10
v2.7.11
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.9.0
v2.9.1