Citizen MediaWiki Skin Sticky Header Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Citizen skin for MediaWiki, affecting versions 3.3.0 prior to 3.9.0. The issue arises in the sticky header button message handling, where the 'copyButtonAttributes' function in 'stickyHeader.js' improperly transfers button labels by using 'innerHTML' instead of 'textContent'. This flaw allows escaped HTML in system message content to be executed as HTML in the sticky header, enabling script injection by users with the 'editinterface' right, but without 'editsitejs'. The vulnerability could lead to the execution of arbitrary JavaScript in the sessions of other users, potentially allowing unauthorized access to sensitive data or actions.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, edit a system message used by the Citizen skin's sticky header, such as 'citizen-share' or 'nstab-talk', and insert a payload like '<img src='' onerror='alert(1)'>'. Then, navigate to a page that triggers the sticky header, such as a main article page.

Remediation

Users can update to Citizen skin version 3.9.0 or later, where this vulnerability has been fixed.