Tag
#vulnerability
### Summary All system messages in menu headings using the Menu.mustache template are inserted as raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. ### Details The system messages for menu headings are inserted unescaped into raw HTML: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/072e4365e9084e4b153eac62d3666566c06f5a49/templates/Menu.mustache#L8-L10 ### PoC 1. Go to any article using citizen with the `uselang` parameter set to `x-xss` 2. A large number of alerts will be shown for various messages, e.g.:   On the main page of my test wiki, the following messages were shown: `navigation`, `notifications`, `user-interface-preferences`, `personaltools`, `variants`, `views`, `associated-pages`, `cactions` and `toolbox`. ### Impact This impacts wiki...
### Summary Various preferences messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. ### Details The `innerHtml` of the label div is set to the `textContent` of the label, essentially unsanitizing the system messages: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/407052e7069bdeae927d6f1a2a1c9a45b473bf9a/resources/skins.citizen.preferences/addPortlet.polyfill.js#L18 ### PoC 1. Edit `citizen-feature-custom-font-size-name` (or any other message displayed in a heading in the preferences menu) to `<img src="" onerror="alert('citizen-feature-custom-font-size-name')">` (script tags don't work here due to the way the HTML is inserted) 2. Open the preferences menu 
### Summary The `citizen-search-noresults-title` and `citizen-search-noresults-desc` system messages are inserted into raw HTML, allowing anybody who can edit those messages to insert arbitrary HTML into the DOM. ### Details The system messages are inserted as raw HTML by the mustache template: https://github.com/StarCitizenTools/mediawiki-skins-Citizen/blob/407052e7069bdeae927d6f1a2a1c9a45b473bf9a/resources/skins.citizen.search/templates/TypeaheadPlaceholder.mustache#L8-L9 ### PoC 1. Edit `citizen-search-noresults-title` and `citizen-search-noresults-desc` to `<img src="" onerror="alert('citizen-search-noresults-title')">` and `<img src="" onerror="alert('citizen-search-noresults-desc')">` (script tags don't work here due to the way the HTML is inserted) 2. Open the search bar and search for a page that doesn't exist to get the "no results" messages to show up  .
Arbitrary event injection on Salt Master. The master's "_minion_event" method can be used by and authorized minion to send arbitrary events onto the master's event bus.