CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
15.5%
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The page MediaWiki:Tagline
has its contents used unescaped, so custom HTML (including Javascript) can be injected by someone with the ability to edit the MediaWiki namespace (typically those with the editinterface
permission, or sysops). This vulnerability is fixed in 2.16.0.
Vendor | Product | Version | CPE |
---|---|---|---|
starcitizentools | mediawiki_skins_citizen | * | cpe:2.3:a:starcitizentools:mediawiki_skins_citizen:*:*:*:*:*:*:*:* |
[
{
"vendor": "StarCitizenTools",
"product": "mediawiki-skins-Citizen",
"versions": [
{
"version": "< 2.16.0",
"status": "affected"
}
]
}
]
github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/c11fbf67a99366d5a40ef880469b222679e3b475/includes/Components/CitizenComponentPageHeading.php#L190-L195
github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/c11fbf67a99366d5a40ef880469b222679e3b475/includes/Components/CitizenComponentPageHeading.php#L197-L201
github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/4a43280242f33e54643087da4a7f40970d2640c9
github.com/StarCitizenTools/mediawiki-skins-Citizen/releases
github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-jhm6-qjhq-5mf9