CVE-2024-47536

Name of the Vulnerable Software and Affected Versions MediaWiki Citizen Skin versions prior to 2.31.0

Description The issue allows a user with the editmyprivateinfo right or who can otherwise change their name to perform a self-XSS attack by setting their "real name" to an XSS payload. This can be done by modifying the "real name" field in the user's preferences to include malicious script code, such as <script>alert("Admin with a propensity for self-XSSes")</script>. The vulnerability is triggered when the user saves their settings and the Citizen skin is used.

Recommendations For versions prior to 2.31.0, update to version 2.31.0 or later to fix the vulnerability. As a temporary workaround, consider restricting the ability for users to change their names or limiting access to the "real name" field in the user preferences to minimize the risk of exploitation.