starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field
A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload.
Advisories for Composer/Starcitizentools/Citizen-Skin package
2024