Citizen MediaWiki Skin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Citizen MediaWiki skin, specifically in versions of the skin released after the inclusion of commit 54c8717d45ce1594918f11cb9ce5d0ccd8dfee65. The issue arises because multiple system messages are inserted into the CommandPaletteFooter component as raw HTML. This allows users who can edit those messages to inject arbitrary HTML into the DOM. The vulnerability affects wikis where a group has the 'editinterface' right but not the 'editsitejs' right.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, edit the system messages used by the Command Palette tips to include malicious HTML, such as an image tag with an 'onerror' event. After saving the changes, open the Command Palette to trigger the execution of the injected HTML, such as an alert box.

Remediation

Users can update to Citizen version 3.3.1, where this vulnerability has been fixed.