Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-47536

Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. This vulnerability is fixed in 2.31.0.

Published

2024-09-30T17:15:04.780

Last Modified

2025-08-25T02:04:28.420

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

Weaknesses

Type: Secondary
CWE-79
CWE-80

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	starcitizen.tools	citizen	< 2.31.0	Yes

References

https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/d45c3d69f30863f622f16eb40dd41d3ca943454a/includes/Components/CitizenComponentUserInfo.php#L137 Product ([email protected])
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/717d16af35b10dab04d434aefddbf991fc8c168c Patch ([email protected])
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/commit/86da3e07718c8d8da6f4310386fef85599606f9b Patch ([email protected])
https://github.com/StarCitizenTools/mediawiki-skins-Citizen/security/advisories/GHSA-62r2-gcxr-426x Exploit, Vendor Advisory ([email protected])