CVE-2024-47536 in mediawiki-skins-Citizen
Summary
by MITRE • 09/30/2024
Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload. This vulnerability is fixed in 2.31.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 08/25/2025
The CVE-2024-47536 vulnerability affects the Citizen MediaWiki skin, a user interface component that integrates extensions into a unified experience for wiki platforms. This flaw represents a cross-site scripting vulnerability that specifically targets users possessing the editmyprivateinfo right or those capable of modifying their usernames. The vulnerability arises from insufficient input validation when processing user-provided real name data within the Citizen skin's implementation.
The technical exploitation occurs through the manipulation of the "real name" field, which serves as an entry point for malicious script injection. When a user with appropriate permissions sets their real name to an XSS payload, the malicious code executes within the context of other users' browsers who view the affected profile information. This vulnerability falls under the CWE-79 category of Cross-Site Scripting, specifically representing a stored XSS variant where the malicious payload is permanently stored on the server and executed upon subsequent page loads.
The operational impact of this vulnerability extends beyond simple script execution, as it allows attackers to potentially steal session cookies, perform unauthorized actions on behalf of other users, or redirect victims to malicious websites. The Citizen skin's design philosophy of integrating extensions into a cohesive experience inadvertently creates a vector where user-controlled data can be processed without adequate sanitization. This represents a significant security risk in collaborative environments where multiple users interact through the same wiki platform, as the vulnerability can be exploited by any user with the editmyprivateinfo permission or equivalent access rights.
Mitigation strategies should focus on implementing comprehensive input sanitization and output encoding for all user-provided data within the Citizen skin's real name field. The recommended fix involves upgrading to version 2.31.0 or later, which includes proper validation mechanisms and sanitization routines for user input. Organizations should also consider implementing Content Security Policy headers to limit the execution of unauthorized scripts, while administrators should review and restrict user permissions to minimize potential exploitation vectors. This vulnerability aligns with ATT&CK technique T1531 which covers "Run-time privilege escalation" and demonstrates how seemingly benign user interface components can become attack vectors when proper input validation is absent. The fix implemented in version 2.31.0 addresses the root cause by ensuring that all user-provided real name data undergoes proper sanitization before being rendered in the browser context, thereby preventing the execution of malicious scripts through the stored XSS vector.