Citizen MediaWiki Skin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Citizen MediaWiki skin, specifically in versions starting from a0296afaedbe1a277337a2d8f1da83cb3a79b9ab. The issue arises because the 'citizen-search-noresults-title' and 'citizen-search-noresults-desc' system messages are rendered as raw HTML. This allows users with the ability to edit these messages to inject arbitrary HTML into the document object model (DOM).

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, edit the 'citizen-search-noresults-title' and 'citizen-search-noresults-desc' system messages to include an image tag with an 'onerror' attribute, such as an alert. After saving the changes, search for a non-existent page to trigger the 'no results' messages, which will now execute the injected script.

Remediation

Users can update to Citizen version 3.3.1, where this vulnerability has been fixed.