Citizen Skin for MediaWiki Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Citizen skin for MediaWiki, affecting versions 1.9.4 prior to 3.4.0. The issue arises because short descriptions from the ShortDescription extension are inserted as raw HTML, allowing users to inject arbitrary HTML into the DOM by editing a page. This vulnerability has been patched in version 3.4.0.

Impact

Exploitation of this vulnerability allows for the injection of arbitrary HTML, including JavaScript, into the DOM, which could be executed in the context of the user.

Reproduction

To reproduce this vulnerability, first ensure that the Citizen skin and the ShortDescription extension are both enabled. Then, add a short description containing unsanitized HTML, such as an image tag with an 'onerror' event, to a page. Finally, visit the page to trigger the cross-site scripting payload.

Remediation

Users are advised to update to Citizen version 3.4.0 or later, where this vulnerability has been fixed.