Citizen MediaWiki Skin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Citizen MediaWiki skin, affecting versions through 3.3.0. The issue arises because system messages in menu headings are inserted as raw HTML. This flaw allows users with the 'editinterface' right, but not 'editsitejs', to inject arbitrary HTML into the DOM. The vulnerability can be exploited by manipulating specific system messages, which are then rendered unescaped in the menu headings.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, upload the Citizen MediaWiki skin version 3.3.0 or earlier. Then, go to the 'Messages' special page and edit a message that will be displayed in the menu heading. Insert a script tag or other HTML that could be used for cross-site scripting, such as an image tag with a JavaScript payload. After saving the message, the injected HTML will be executed when the menu heading is rendered.

Remediation

Users can update to Citizen MediaWiki skin version 3.3.1, which addresses this vulnerability by properly escaping menu heading messages.