GHSA-2v3v-3whp-953h

Suggest an improvement
Source
https://github.com/advisories/GHSA-2v3v-3whp-953h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-2v3v-3whp-953h/GHSA-2v3v-3whp-953h.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-2v3v-3whp-953h
Aliases
Published
2025-06-13T14:09:00Z
Modified
2025-06-13T15:47:01.155828Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
starcitizentools/citizen-skin allows stored XSS in user registration date message
Details

Summary

Various date messages returned by Language::userDate are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The result of $this->lang->userDate( $timestamp, $this->user ) returns unescaped values, but is inserted as raw HTML by Citizen: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/includes/Components/CitizenComponentUserInfo.php#L55-L60

PoC

  1. Go to any page using citizen with the uselang parameter set to x-xss and while being logged in Depending on the registration date of the account you're logged in with, various messages can be shown. In my case, it's november: image

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

Database specific
{
    "github_reviewed": true,
    "nvd_published_at": "2025-06-12T19:15:20Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed_at": "2025-06-13T14:09:00Z"
}
References

Affected packages

Packagist / starcitizentools/citizen-skin

Package

Name
starcitizentools/citizen-skin
Purl
pkg:composer/starcitizentools/citizen-skin

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.3.0
Fixed
3.3.1

Affected versions

v3.*

v3.3.0