CVE-2024-47536 MEDIUM

CVE-2024-47536: starcitizentools/citizen-skin vulnerable to stored, self-XSS in the "real name" field

Vendor Starcitizentools
Product mediawiki-skins-Citizen
Weakness CWE-80 · XSS · basic
Published September 30, 2024
Last update September 30, 2024

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. This vulnerability is fixed in 2.31.0.

Key dates

02Disclosure timeline

September 30, 2024 CVE published
September 30, 2024 Record updated