Various date messages returned by Language::userDate
are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.
The result of $this->lang->userDate( $timestamp, $this->user )
returns unescaped values, but is inserted as raw HTML by Citizen:
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/includes/Components/CitizenComponentUserInfo.php#L55-L60
november
:
This impacts wikis where a group has the editinterface
but not the editsitejs
user right.
{ "github_reviewed": true, "nvd_published_at": "2025-06-12T19:15:20Z", "severity": "MODERATE", "cwe_ids": [ "CWE-79" ], "github_reviewed_at": "2025-06-13T14:09:00Z" }