6.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-4c2h-67qq-vm87

EPSS Score

CWE

CWE-79

Published

6/11/2025

Updated

6/11/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-4c2h-67qq-vm87

GHSA-4c2h-67qq-vm87: Citizen skin vulnerable to stored XSS through multiple system messages

Various system messages are inserted by the Citizen skin in multiple places without proper sanitization.

1 - Command Palette Tips

Summary

Multiple system messages are inserted into the CommandPaletteFooter as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The messages are retrieved using the plain() output mode: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L61-L66 currentTip is set to one of these messages: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L69 currentTip is inserted as raw HTML (vue/no-v-html should not be ignored here): https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/resources/skins.citizen.commandPalette/components/CommandPaletteFooter.vue#L3-L4

PoC

Edit citizen-command-palette-tip-commands, citizen-command-palette-tip-users, citizen-command-palette-tip-namespace and citizen-command-palette-tip-templates to <img src="" onerror="alert(1)"> (script tags don't work here due to the way the HTML is inserted)
Open the command palette

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

2 - Menu Headings

Summary

All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The system messages for menu headings are inserted unescaped into raw HTML: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/templates/Menu.mustache#L8-L10

PoC

Go to any article using citizen with the uselang parameter set to x-xss
A large number of alerts will be shown for various messages, e.g.:

On the main page of my test wiki, the following messages were shown: navigation, notifications, user-interface-preferences, personaltools, variants, views, associated-pages, cactions and toolbox.

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

3 - User registration date

Summary

Various date messages returned by Language::userDate are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The result of $this->lang->userDate( $timestamp, $this->user ) returns unescaped values, but is inserted as raw HTML by Citizen: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/includes/Components/CitizenComponentUserInfo.php#L55-L60

PoC

Go to any page using citizen with the uselang parameter set to x-xss and while being logged in Depending on the registration date of the account you're logged in with, various messages can be shown. In my case, it's november:

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

4 - Preferences menu headings

Summary

Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The innerHtml of the label div is set to the textContent of the label, essentially unsanitizing the system messages: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/407052e7069bdeae927d6f1a2a1c9a45b473bf9a/resources/skins.citizen.preferences/addPortlet.polyfill.js#L18

PoC

Edit citizen-feature-custom-font-size-name (or any other message displayed in a heading in the preferences menu) to <img src="" onerror="alert('citizen-feature-custom-font-size-name')"> (script tags don't work here due to the way the HTML is inserted)
Open the preferences menu

5 - No results messages

Summary

The citizen-search-noresults-title and citizen-search-noresults-desc system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM.

Details

The system messages are inserted as raw HTML by the mustache template: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/407052e7069bdeae927d6f1a2a1c9a45b473bf9a/resources/skins.citizen.search/templates/TypeaheadPlaceholder.mustache#L8-L9

PoC

Edit citizen-search-noresults-title and citizen-search-noresults-desc to <img src="" onerror="alert('citizen-search-noresults-title')"> and <img src="" onerror="alert('citizen-search-noresults-desc')"> (script tags don't work here due to the way the HTML is inserted)
Open the search bar and search for a page that doesn't exist to get the "no results" messages to show up

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-4c2h-67qq-vm87

EPSS Score

CWE

CWE-79

Published

6/11/2025

Updated

6/11/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
starcitizentools/citizen-skin	composer	>= 2.4.2, < 3.3.1	3.3.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability GHSA-4c2h-67qq-vm87 in the Citizen skin for MediaWiki encompasses multiple stored Cross-Site Scripting (XSS) vulnerabilities. These vulnerabilities stem from the improper handling of system messages, which can be edited by users with editinterface permissions. These messages were inserted into various parts of the user interface without adequate sanitization or escaping, allowing malicious HTML to be rendered in the victim's browser.

The analysis of the provided commits, particularly the security patch 93c36ac778397e0e7c46cf7adb1e5d848265f1bd, reveals several key areas of weakness:

Command Palette Tips: System messages used as tips were fetched using mw.message().plain() (returning raw text) and then rendered via Vue's v-html, leading to XSS. The fix involves using mw.message().parse() to get sanitized HTML.
Menu Headings: Mustache templates (specifically Menu.mustache) rendered menu heading labels (system messages) using {{{.}}} (unescaped HTML). The fix changes this to {{.}} for default escaping.
User Registration Date: A PHP function (CitizenComponentUserInfo::getUserRegistration) directly embedded date-related system messages into HTML strings using sprintf. The fix employs Html::element() for safe HTML construction.
Preferences Menu Headings: A JavaScript function (addDefaultPortlet) used innerHTML to set heading labels derived from system messages via textContent. While textContent is generally safer, the use of innerHTML as a sink was risky. The fix enforces the use of textContent for assignment, ensuring plain text interpretation.
No Results Messages: Another Mustache template (TypeaheadPlaceholder.mustache) rendered search-related system messages (title and description for no results) using {{{.}}}. The fix, again, is to use {{.}} for proper escaping.

The root cause across these instances is the trust placed in the content of system messages when rendering them in an HTML context. Since these messages can be altered by privileged users, they must be treated as untrusted input and sanitized or escaped appropriately before being included in the DOM. The patches address this by either changing how the messages are fetched/parsed (to ensure they are safe HTML) or by changing how they are rendered (to ensure they are treated as plain text or safely escaped HTML).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rious syst*m m*ss***s *r* ins*rt** *y t** *itiz*n skin in multipl* pl***s wit*out prop*r s*nitiz*tion. ## * - *omm*n* P*l*tt* Tips ### Summ*ry Multipl* syst*m m*ss***s *r* ins*rt** into t** *omm*n*P*l*tt**oot*r *s r*w *TML, *llowin* *ny*o*y w*o *

Reasoning

T** vuln*r**ility **S*-****-**qq-vm** in t** *itiz*n skin *or M**i*Wiki *n*omp*ss*s multipl* stor** *ross-Sit* S*riptin* (XSS) vuln*r**iliti*s. T**s* vuln*r**iliti*s st*m *rom t** improp*r **n*lin* o* syst*m m*ss***s, w*i** **n ** **it** *y us*rs wit

6.5

Basic Information

Concerned about an active attack path?

GHSA-4c2h-67qq-vm87: Citizen skin vulnerable to stored XSS through multiple system messages

1 - Command Palette Tips

Summary

Details

PoC

Impact

2 - Menu Headings

Summary

Details

PoC

Impact

3 - User registration date

Summary

Details

PoC

Impact

4 - Preferences menu headings

Summary

Details

PoC

5 - No results messages

Summary

Details

PoC

Impact

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI