GHSA-G955-VW6W-V6PP

Vulnerability from github – Published: 2025-10-20 15:31 – Updated: 2025-10-20 15:31
VLAI?
Summary
Citizen vulnerable to stored XSS in sticky header button messages
Details

Summary

The JS implementation for copying button labels to the sticky header in the Citizen skin unescapes HTML characters, allowing for stored XSS through system messages.

Details

In the copyButtonAttributes function in stickyHeader.js, when copying the button labels, the innerHTML of the new element is set to the textContent of the old element: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/f4cbcecf5aca0ae69966b23d4983f9cb5033f319/resources/skins.citizen.scripts/stickyHeader.js#L29-L41 This unescapes any escaped HTML characters and causes the contents of the system messages to be interpreted as HTML.

PoC

  1. Edit any of the affected messages (citizen-share, citizen-view-history, citizen-view-edit, nstab-talk) to the following payload: <img src="" onerror="alert('Sticky Header Button XSS')">.
  2. Visit any mainpage article in the wiki using the Citizen skin.

image image

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right. By default, this is the case for the sysop group.

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "starcitizentools/citizen-skin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.0"
            },
            {
              "fixed": "3.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62508"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-20T15:31:06Z",
    "nvd_published_at": "2025-10-17T21:15:36Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe JS implementation for copying button labels to the sticky header in the Citizen skin unescapes HTML characters, allowing for stored XSS through system messages.\n\n### Details\nIn the `copyButtonAttributes` function in `stickyHeader.js`, when copying the button labels, the `innerHTML` of the new element is set to the `textContent` of the old element:\nhttps://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/f4cbcecf5aca0ae69966b23d4983f9cb5033f319/resources/skins.citizen.scripts/stickyHeader.js#L29-L41\nThis unescapes any escaped HTML characters and causes the contents of the system messages to be interpreted as HTML.\n\n### PoC\n1. Edit any of the affected messages (`citizen-share`, `citizen-view-history`, `citizen-view-edit`, `nstab-talk`) to the following payload: `\u003cimg src=\"\" onerror=\"alert(\u0027Sticky Header Button XSS\u0027)\"\u003e`.\n2. Visit any mainpage article in the wiki using the Citizen skin.\n\n\u003cimg width=\"495\" height=\"228\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ac75b8e1-b181-4335-9526-17d6b6f8518e\" /\u003e\n\u003cimg width=\"569\" height=\"157\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c052edb9-ff68-4869-9c66-3ec85e7ff68a\" /\u003e\n\n\n### Impact\nThis impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. By default, this is the case for the `sysop` group.",
  "id": "GHSA-g955-vw6w-v6pp",
  "modified": "2025-10-20T15:31:06Z",
  "published": "2025-10-20T15:31:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-g955-vw6w-v6pp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62508"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/e006923c6dbf113c9a025ca186ecc09fe7b93a15"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/fbb1d4fe9627281567706f3f6fc99a42ce16fdc4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Citizen vulnerable to stored XSS in sticky header button messages"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.