GHSA-4c2h-67qq-vm87

Source

https://github.com/advisories/GHSA-4c2h-67qq-vm87

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-4c2h-67qq-vm87/GHSA-4c2h-67qq-vm87.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4c2h-67qq-vm87

Aliases

CVE-2025-49575

Published

2025-06-11T19:59:54Z

Modified

2025-06-13T04:30:31.802497Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

Citizen skin vulnerable to stored XSS through multiple system messages

Details

Summary

Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The messages are retrieved using the plain() output mode: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L61-L66 currentTip is set to one of these messages: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L69 currentTip is inserted as raw HTML (vue/no-v-html should not be ignored here): https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L3-L4

PoC

Edit citizen-command-palette-tip-commands, citizen-command-palette-tip-users, citizen-command-palette-tip-namespace and citizen-command-palette-tip-templates to <img src="" onerror="alert(1)"> (script tags don't work here due to the way the HTML is inserted)
Open the command palette

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-11T19:59:54Z",
    "nvd_published_at": "2025-06-12T19:15:20Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE"
}

References

Affected packages

Packagist / starcitizentools/citizen-skin

Package

Name: starcitizentools/citizen-skin
Purl: pkg:composer/starcitizentools/citizen-skin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.2

Fixed

3.3.1

Affected versions

v2.*

v2.4.2

v2.4.3

v2.4.4

v2.5.0

v2.5.1

v2.5.2

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.7.0

v2.7.1

v2.7.2

v2.7.3

v2.7.4

v2.7.5

v2.7.6

v2.7.7

v2.7.8

v2.7.9

v2.7.10

v2.7.11

v2.8.0

v2.8.1

v2.8.2

v2.8.3

v2.8.4

v2.8.5

v2.9.0

v2.9.1

v2.10.0

v2.10.1

v2.11.0

v2.11.1

v2.12.0

v2.13.0

v2.13.1

v2.13.2

v2.13.3

v2.13.4

v2.13.5

v2.14.0

v2.14.1

v2.15.0

v2.15.1

v2.16.0

v2.16.1

v2.17.0

v2.17.1

v2.17.2

v2.18.0

v2.18.1

v2.19.0

v2.20.0

v2.21.0

v2.22.0

v2.22.1

v2.23.0

v2.24.0

v2.25.0

v2.26.0

v2.27.0

v2.28.0

v2.29.0

v2.30.0

v2.31.0

v2.32.0

v2.33.0

v2.34.0

v2.35.0

v2.36.0

v2.37.0

v2.38.0

v2.38.1

v2.38.2

v2.38.3

v2.39.0

v2.39.1

v2.39.2

v2.39.3

v2.39.4

v2.40.0

v2.40.1

v2.40.2

v3.*

v3.0.0

v3.1.0

v3.2.0

v3.3.0