4.6

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-47536

GHSA ID

GHSA-62r2-gcxr-426x

EPSS Score

0.26767%

CWE

CWE-79

Published

9/30/2024

Updated

9/30/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-47536

CVE-2024-47536: starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field

Summary

A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload.

Details

Here's the offending line: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137

This was introduced in 717d16af35b10dab04d434aefddbf991fc8c168c

PoC

Login
Go to Special:Preferences
Set the real name field to a string like <script>alert("Admin with a propensity for self-XSSes")</script>
Save your settings and use Citizen if it's not being used already

Impact

Any user who can change their name (whether it's through the editmyprivateinfo right or through other means) can add XSS payloads that trigger for themselves only.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-47536

CVE-2024-47536:

4.6

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-47536

GHSA ID

GHSA-62r2-gcxr-426x

EPSS Score

0.26767%

CWE

CWE-79

Published

9/30/2024

Updated

9/30/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
starcitizentools/citizen-skin	composer	>= 2.6.3, < 2.31.0	2.31.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the unescaped insertion of user-provided 'realname' into HTML output. The offending code in CitizenComponentUserInfo.php line 137 (pre-fix) used $user->getRealName() without escaping. The subsequent patch in commit 86da3e0 added htmlspecialchars() to both getRealName() and getName(), confirming the lack of output encoding was the root cause. The getUserPage method constructs the user info HTML using these unsanitized values, making it the primary vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-47536: starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field

Summary

Details

PoC

Impact

CVE-2024-47536:

4.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-47536: starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field

Summary

Details

PoC

Impact

Technical Details

4.6

4.6

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI