CVE-2024-36123 Information

Jun 04, 2024 cve

Description

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The page MediaWiki:Tagline has its contents used unescaped so custom HTML (including Javascript) can be injected by someone with the ability to edit the MediaWiki namespace (typically those with the editinterface permission or sysops). This vulnerability is fixed in 2.16.0.

Reference

https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-jhm6-qjhq-5mf9 https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/4a43280242f33e54643087da4a7f40970d2640c9 https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/c11fbf67a99366d5a40ef880469b222679e3b475/includes/Components/CitizenComponentPageHeading.php#L190-L195 https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/c11fbf67a99366d5a40ef880469b222679e3b475/includes/Components/CitizenComponentPageHeading.php#L197-L201 https://github.com/StarCitizenTools/mediawiki-skins-Citizen/releases

Share on: