Summary
A user with the editmyprivateinfo right or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload.
Details
Here's the offending line:
|
<span id="pt-userpage-realname">$realname</span> |
This was introduced in 717d16a
PoC
- Login
- Go to Special:Preferences
- Set the real name field to a string like
<script>alert("Admin with a propensity for self-XSSes")</script>
- Save your settings and use Citizen if it's not being used already
Impact
Any user who can change their name (whether it's through the editmyprivateinfo right or through other means) can add XSS payloads that trigger for themselves only.
BlankEclair Reporter
Summary
A user with the
editmyprivateinforight or who can otherwise change their name can XSS themselves by setting their "real name" to an XSS payload.Details
Here's the offending line:
mediawiki-skins-Citizen/includes/Components/CitizenComponentUserInfo.php
Line 137 in d45c3d6
This was introduced in 717d16a
PoC
<script>alert("Admin with a propensity for self-XSSes")</script>Impact
Any user who can change their name (whether it's through the editmyprivateinfo right or through other means) can add XSS payloads that trigger for themselves only.