CVE-2024-47536: starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field
A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their “real name” to an XSS payload.
References
- github.com/StarCitizenTools/mediawiki-skins-Citizen
- github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php
- github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/717d16af35b10dab04d434aefddbf991fc8c168c
- github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/86da3e07718c8d8da6f4310386fef85599606f9b
- github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-62r2-gcxr-426x
- github.com/advisories/GHSA-62r2-gcxr-426x
- nvd.nist.gov/vuln/detail/CVE-2024-47536
Detect and mitigate CVE-2024-47536 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →