GHSA-62r2-gcxr-426x
Suggest an improvement- Source
- https://github.com/advisories/GHSA-62r2-gcxr-426x
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-62r2-gcxr-426x/GHSA-62r2-gcxr-426x.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-62r2-gcxr-426x
- Aliases
- Published
- 2024-09-30T17:48:33Z
- Modified
- 2024-09-30T20:26:23.850872Z
- Severity
-
- 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
- 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field
- Details
-
Summary
A user with the
editmyprivateinforight or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload.Details
Here's the offending line: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137
This was introduced in 717d16af35b10dab04d434aefddbf991fc8c168c
PoC
- Login
- Go to Special:Preferences
- Set the real name field to a string like
<script>alert("Admin with a propensity for self-XSSes")</script> - Save your settings and use Citizen if it's not being used already
Impact
Any user who can change their name (whether it's through the editmyprivateinfo right or through other means) can add XSS payloads that trigger for themselves only.
- Database specific
{ "nvd_published_at": "2024-09-30T17:15:04Z", "cwe_ids": [ "CWE-79", "CWE-80" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-09-30T17:48:33Z" }- References
-
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-62r2-gcxr-426x
- https://nvd.nist.gov/vuln/detail/CVE-2024-47536
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/717d16af35b10dab04d434aefddbf991fc8c168c
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/86da3e07718c8d8da6f4310386fef85599606f9b
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen
- https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137
Affected packages
Packagist / starcitizentools/citizen-skin
Package
- Name
- starcitizentools/citizen-skin
- Purl
- pkg:composer/starcitizentools/citizen-skin
Affected versions
v2.*
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.7.10
v2.7.11
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.9.0
v2.9.1
v2.10.0
v2.10.1
v2.11.0
v2.11.1
v2.12.0
v2.13.0
v2.13.1
v2.13.2
v2.13.3
v2.13.4
v2.13.5
v2.14.0
v2.14.1
v2.15.0
v2.15.1
v2.16.0
v2.16.1
v2.17.0
v2.17.1
v2.17.2
v2.18.0
v2.18.1
v2.19.0
v2.20.0
v2.21.0
v2.22.0
v2.22.1
v2.23.0
v2.24.0
v2.25.0
v2.26.0
v2.27.0
v2.28.0
v2.29.0
v2.30.0