Miggo Logo

GHSA-4c2h-67qq-vm87: Citizen skin vulnerable to stored XSS through multiple system messages

6.5

CVSS Score
3.1

Basic Information

CVE ID
-
EPSS Score
-
Published
6/11/2025
Updated
6/11/2025
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
starcitizentools/citizen-skincomposer>= 2.4.2, < 3.3.13.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability GHSA-4c2h-67qq-vm87 in the Citizen skin for MediaWiki encompasses multiple stored Cross-Site Scripting (XSS) vulnerabilities. These vulnerabilities stem from the improper handling of system messages, which can be edited by users with editinterface permissions. These messages were inserted into various parts of the user interface without adequate sanitization or escaping, allowing malicious HTML to be rendered in the victim's browser.

The analysis of the provided commits, particularly the security patch 93c36ac778397e0e7c46cf7adb1e5d848265f1bd, reveals several key areas of weakness:

  1. Command Palette Tips: System messages used as tips were fetched using mw.message().plain() (returning raw text) and then rendered via Vue's v-html, leading to XSS. The fix involves using mw.message().parse() to get sanitized HTML.
  2. Menu Headings: Mustache templates (specifically Menu.mustache) rendered menu heading labels (system messages) using {{{.}}} (unescaped HTML). The fix changes this to {{.}} for default escaping.
  3. User Registration Date: A PHP function (CitizenComponentUserInfo::getUserRegistration) directly embedded date-related system messages into HTML strings using sprintf. The fix employs Html::element() for safe HTML construction.
  4. Preferences Menu Headings: A JavaScript function (addDefaultPortlet) used innerHTML to set heading labels derived from system messages via textContent. While textContent is generally safer, the use of innerHTML as a sink was risky. The fix enforces the use of textContent for assignment, ensuring plain text interpretation.
  5. No Results Messages: Another Mustache template (TypeaheadPlaceholder.mustache) rendered search-related system messages (title and description for no results) using {{{.}}}. The fix, again, is to use {{.}} for proper escaping.

The root cause across these instances is the trust placed in the content of system messages when rendering them in an HTML context. Since these messages can be altered by privileged users, they must be treated as untrusted input and sanitized or escaped appropriately before being included in the DOM. The patches address this by either changing how the messages are fetched/parsed (to ensure they are safe HTML) or by changing how they are rendered (to ensure they are treated as plain text or safely escaped HTML).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rious syst*m m*ss***s *r* ins*rt** *y t** *itiz*n skin in multipl* pl***s wit*out prop*r s*nitiz*tion. ## * - *omm*n* P*l*tt* Tips ### Summ*ry Multipl* syst*m m*ss***s *r* ins*rt** into t** *omm*n*P*l*tt**oot*r *s r*w *TML, *llowin* *ny*o*y w*o *

Reasoning

T** vuln*r**ility **S*-****-**qq-vm** in t** *itiz*n skin *or M**i*Wiki *n*omp*ss*s multipl* stor** *ross-Sit* S*riptin* (XSS) vuln*r**iliti*s. T**s* vuln*r**iliti*s st*m *rom t** improp*r **n*lin* o* syst*m m*ss***s, w*i** **n ** **it** *y us*rs wit