MediaWiki Citizen Skin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Citizen skin for MediaWiki. This issue arises because various preference messages are inserted into the HTML without proper sanitization, allowing users who can edit these messages to inject arbitrary HTML into the document. The vulnerability affects Citizen skin versions through a741639085d70c22a9f49890542a142a223bf981.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the preferences menu.

Reproduction

To reproduce this vulnerability, edit a preference message that is displayed as a heading in the preferences menu, such as 'citizen-feature-custom-font-size-name'. Insert an image tag with an 'onerror' event (script tags are not effective due to the HTML handling). After saving the message, open the preferences menu to trigger the alert, demonstrating the execution of the injected script.

Remediation

Users can update to Citizen skin version 3.3.1 or later, where this vulnerability has been fixed.