CVE-2024-47536: 
PHP vulnerability analysis and mitigation

Citizen, a MediaWiki skin that makes extensions part of the cohesive experience, was found to contain a stored cross-site scripting (XSS) vulnerability. The vulnerability, identified as CVE-2024-47536, was discovered on September 28, 2024, and affects versions prior to 2.31.0. Users with the 'editmyprivateinfo' right or those who can change their name could exploit this vulnerability by setting their "real name" to an XSS payload (GitHub Advisory).

The vulnerability exists in the CitizenComponentUserInfo.php file where user-supplied real names were not properly escaped before being displayed. The issue was introduced in commit 717d16a and was fixed in version 2.31.0. The vulnerability has been assigned a CVSS v3.1 score of 4.6 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N, indicating network attack vector, low attack complexity, low privileges required, and user interaction required (GitHub Advisory).

The vulnerability allows users with appropriate permissions to inject XSS payloads through their real name field, which would then be executed when they view their own profile. The impact is limited as users can only XSS themselves and cannot affect other users (GitHub Advisory).

The vulnerability has been patched in version 2.31.0 by implementing proper HTML escaping for the real name field. The fix was implemented in commit 86da3e0, which adds HTML special character escaping using ENT_QUOTES (GitHub Commit).