Citizen
CVE-2024-36123
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The page MediaWiki:Tagline has its contents used unescaped, so custom HTML (including Javascript) can be injected by someone with the ability to edit the MediaWiki namespace (typically those with the editinterface permission, or sysops). This vulnerability is fixed in 2.16.0.
AnalysisAI
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The page MediaWiki:Tagline has its contents used unescaped, so custom HTML (including Javascript) can be injected by someone with the ability to edit the MediaWiki namespace (typically those with the editinterface permission, or sysops). This vulnerability is fixed in 2.16.0. Affected products include: Starcitizen.Tools Citizen.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0,
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0,
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. All system messages in menu headings
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various date messages returned by `La
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Various preferences messages are inse
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. The citizen-search-noresults-title an
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Multiple system messages are inserted
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. Rated medium severity (CVSS 4.8), thi
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today