Craft CMS stored XSS in review volume

2023-05-2613:55:42

Google

osv.dev

xss

craft cms

asset volumes

security fix

CVSS3

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

EPSS

0.001

Percentile

40.0%

JSON

Summary

XSS can be triggered by review volumes

PoC

1. Access setting tab
2. Create new assets
3. In assets name inject payload: "&lt;script&gt;alert(1337)&lt;/script&gt;
4. Click Utilities tab
5. Choose all volumes, or volume trigger xss
6. Click Update asset indexes.
7. Wait to assets update success.
8. Progress complete.
9. Click on review button will trigger XSS

Root cause

Function: index.php?p=admin/actions/asset-indexes/process-indexing-session&v=1680710595770
After loading completed, progess will load:
“skippedEntries”
and
“missingEntries”
These parameters is not yet filtered, I just tried “skippedEntries” but I think it will be work with “missingEntries”

My reponse:

{
“session”: {
“id”: 10,
“indexedVolumes”: {
“6”: “"<script>alert(1337)</script>”
},
“totalEntries”: 2235,
“processedEntries”: 2235,
“cacheRemoteImages”: true,
“listEmptyFolders”: false,
“isCli”: false,
“actionRequired”: true,
“dateCreated”: “Apr 5, 2023, 9:03:16 AM”,
“skippedEntries”: [
“"<script>alert(1337)</script>/assetpreviews/Image.php”,
“"<script>alert(1337)</script>/assetpreviews/Pdf.php”
],
“missingEntries”: {
“folders”: [],
“files”: []
},
“processIfRootEmpty”: false
},
“skipDialog”: false
}