Craft CMS 5.9.x < 5.9.11 Stored XSS (GHSA-3x4w-mxpf-fhqq)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(303619);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/03/26");

  script_cve_id("CVE-2026-33051");

  script_name(english:"Craft CMS 5.9.x < 5.9.11 Stored XSS (GHSA-3x4w-mxpf-fhqq)");

  script_set_attribute(attribute:"synopsis", value:
"The Craft CMS instance installed on the remote host is affected by a cross-site scripting vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of Craft CMS installed on the remote host is 5.9.x prior to 5.9.11. It is, therefore,
affected by a cross-site scripting vulnerability:

  - The revision/draft context menu in the element editor renders the creator's fullName as raw HTML due to the
    use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user
    can set their fullName to an XSS payload via the profile editor, then create an entry with two saves. If an
    administrator views the affected element, the attacker's account can be elevated to administrator.
    (CVE-2026-33051)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported
version number.");
  # https://github.com/craftcms/cms/security/advisories/GHSA-3x4w-mxpf-fhqq
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2178de12");
  script_set_attribute(attribute:"solution", value:
"Upgrade Craft CMS to version 5.9.11 or later.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:U");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-33051");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/03/16");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/03/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/03/25");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:craftcms:craft_cms");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("craftcms_nix_installed.nbin");
  script_require_keys("installed_sw/Craft CMS");

  exit(0);
}

include('vdf.inc');

# @tvdl-content
var vuln_data = {
  'metadata': {'spec_version': '1.0'},
  'checks': [
    {
      'product': {'name': 'Craft CMS', 'type': 'app'},
      'requires': [{'scope': 'target', 'match': {'os': 'linux'}}],
      'check_algorithm': 'default',
      'constraints': [
        {'min_version': '5.9.0-beta.1', 'fixed_version': '5.9.11'}
      ]
    }
  ]
};

var result = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_WARNING);
vdf::handle_check_and_report_errors(vdf_result:result);