"The Crayons of Madagascar"
Type of issue: Core CMS issue Level of severity: Internal Attack Vector Concrete5 version: 8.2.0 RC2 rev. 32c9daf352645d4fafedb7b956e7f2de4e153ab3
There is Stored XSS vulnerability in User Groups->Group Details
Name field. This vulnerability might be used to perform internal attack against other concrete5 users with permissions to view User Groups list.
To execute this vulnerability, user has to be tricked to perform some additional actions or attacker has to wait until user will perform those action.
Edit Groupoption from dropdown menu
Namefield, put the following payload:
locals" onclick=alert('XSS!') "'>
Name field is properly sanitized in (almost) all context is used.
On the User Groups screen, use seacrh feature to find
locals group (put
locals into seacrh field and press Enter):
Click on the link. Malicious payload will be executed:
This vulnerability was tested on macOS Sierra 10.12.5 with following browsers:
I hope my report will help keep Concrete5 safe in the future.
Rafal 'bl4de' Janicki