GHSA-62r2-gcxr-426x

Suggest an improvement
Source
https://github.com/advisories/GHSA-62r2-gcxr-426x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-62r2-gcxr-426x/GHSA-62r2-gcxr-426x.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-62r2-gcxr-426x
Aliases
Published
2024-09-30T17:48:33Z
Modified
2024-09-30T20:22:42.793079Z
Severity
  • 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
  • 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field
Details

Summary

A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload.

Details

Here's the offending line: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137

This was introduced in 717d16af35b10dab04d434aefddbf991fc8c168c

PoC

  1. Login
  2. Go to Special:Preferences
  3. Set the real name field to a string like <script>alert("Admin with a propensity for self-XSSes")</script>
  4. Save your settings and use Citizen if it's not being used already

Impact

Any user who can change their name (whether it's through the editmyprivateinfo right or through other means) can add XSS payloads that trigger for themselves only.

Database specific
{
    "nvd_published_at": "2024-09-30T17:15:04Z",
    "cwe_ids": [
        "CWE-79",
        "CWE-80"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-30T17:48:33Z"
}
References

Affected packages

Packagist / starcitizentools/citizen-skin

Package

Name
starcitizentools/citizen-skin
Purl
pkg:composer/starcitizentools/citizen-skin

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.3
Fixed
2.31.0

Affected versions

v2.*

v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.7.10
v2.7.11
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.9.0
v2.9.1
v2.10.0
v2.10.1
v2.11.0
v2.11.1
v2.12.0
v2.13.0
v2.13.1
v2.13.2
v2.13.3
v2.13.4
v2.13.5
v2.14.0
v2.14.1
v2.15.0
v2.15.1
v2.16.0
v2.16.1
v2.17.0
v2.17.1
v2.17.2
v2.18.0
v2.18.1
v2.19.0
v2.20.0
v2.21.0
v2.22.0
v2.22.1
v2.23.0
v2.24.0
v2.25.0
v2.26.0
v2.27.0
v2.28.0
v2.29.0
v2.30.0