Products
MediaWiki Citizen Skin
- 2.31.0
Source
security-advisories@github.com
Tags
CVE-2024-47536 details
Published : Sept. 30, 2024, 5:15 p.m.
Last Modified : Sept. 30, 2024, 5:15 p.m.
Last Modified : Sept. 30, 2024, 5:15 p.m.
Description
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. This vulnerability is fixed in 2.31.0.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
References
| URL | Source |
|---|---|
| https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137 | security-advisories@github.com |
| https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/717d16af35b10dab04d434aefddbf991fc8c168c | security-advisories@github.com |
| https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/86da3e07718c8d8da6f4310386fef85599606f9b | security-advisories@github.com |
| https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-62r2-gcxr-426x | security-advisories@github.com |
This website uses the NVD API, but is not approved or certified by it.