Citizen MediaWiki Skin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Citizen MediaWiki skin, specifically in versions of the skin through 3.3.0. The issue arises because date messages processed by 'Language::userDate' are inserted into the HTML without proper escaping. This flaw allows users with the ability to edit these messages to inject arbitrary HTML into the page. The vulnerability affects wikis where a group has the 'editinterface' right but not 'editsitejs'.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page.

Reproduction

To reproduce this vulnerability, log into a wiki using the Citizen skin with a user account that has the 'editinterface' right but not 'editsitejs'. Set the 'uselang' parameter to 'x-xss'. Depending on the registration date of the account, different messages will be displayed. If the registration date falls in November, for example, the message will reflect that month. This unescaped message injection demonstrates the cross-site scripting vulnerability.

Remediation

Users can update to Citizen MediaWiki skin version 3.3.1, which addresses this vulnerability.