ghsa-g955-vw6w-v6pp
Vulnerability from github
Published
2025-10-20 15:31
Modified
2025-10-20 15:31
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Summary
Citizen vulnerable to stored XSS in sticky header button messages
Details

Summary

The JS implementation for copying button labels to the sticky header in the Citizen skin unescapes HTML characters, allowing for stored XSS through system messages.

Details

In the copyButtonAttributes function in stickyHeader.js, when copying the button labels, the innerHTML of the new element is set to the textContent of the old element: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/f4cbcecf5aca0ae69966b23d4983f9cb5033f319/resources/skins.citizen.scripts/stickyHeader.js#L29-L41 This unescapes any escaped HTML characters and causes the contents of the system messages to be interpreted as HTML.

PoC

  1. Edit any of the affected messages (citizen-share, citizen-view-history, citizen-view-edit, nstab-talk) to the following payload: <img src="" onerror="alert('Sticky Header Button XSS')">.
  2. Visit any mainpage article in the wiki using the Citizen skin.

image image

Impact

This impacts wikis where a group has the editinterface but not the editsitejs user right. By default, this is the case for the sysop group.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "starcitizentools/citizen-skin"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.3.0"
            },
            {
              "fixed": "3.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-62508"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-20T15:31:06Z",
    "nvd_published_at": "2025-10-17T21:15:36Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe JS implementation for copying button labels to the sticky header in the Citizen skin unescapes HTML characters, allowing for stored XSS through system messages.\n\n### Details\nIn the `copyButtonAttributes` function in `stickyHeader.js`, when copying the button labels, the `innerHTML` of the new element is set to the `textContent` of the old element:\nhttps://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/f4cbcecf5aca0ae69966b23d4983f9cb5033f319/resources/skins.citizen.scripts/stickyHeader.js#L29-L41\nThis unescapes any escaped HTML characters and causes the contents of the system messages to be interpreted as HTML.\n\n### PoC\n1. Edit any of the affected messages (`citizen-share`, `citizen-view-history`, `citizen-view-edit`, `nstab-talk`) to the following payload: `\u003cimg src=\"\" onerror=\"alert(\u0027Sticky Header Button XSS\u0027)\"\u003e`.\n2. Visit any mainpage article in the wiki using the Citizen skin.\n\n\u003cimg width=\"495\" height=\"228\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ac75b8e1-b181-4335-9526-17d6b6f8518e\" /\u003e\n\u003cimg width=\"569\" height=\"157\" alt=\"image\" src=\"https://github.com/user-attachments/assets/c052edb9-ff68-4869-9c66-3ec85e7ff68a\" /\u003e\n\n\n### Impact\nThis impacts wikis where a group has the `editinterface` but not the `editsitejs` user right. By default, this is the case for the `sysop` group.",
  "id": "GHSA-g955-vw6w-v6pp",
  "modified": "2025-10-20T15:31:06Z",
  "published": "2025-10-20T15:31:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-g955-vw6w-v6pp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62508"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/e006923c6dbf113c9a025ca186ecc09fe7b93a15"
    },
    {
      "type": "WEB",
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/fbb1d4fe9627281567706f3f6fc99a42ce16fdc4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/StarCitizenTools/mediawiki-skins-Citizen"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Citizen vulnerable to stored XSS in sticky header button messages"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.