Headline
CVE-2022-30429: XSS in various backend modules
Multiple cross-site scripting (XSS) vulnerabilities in Neos CMS allow attackers with the editor role or higher to inject arbitrary script or HTML code using the editor function, the deletion of assets, or a workspace title. The vulnerabilities were found in versions 3.3.29 and 8.0.1 and could also be present in all intermediate versions.
Component Type: neos/neos
Vulnerability Type: XSS
Severity: medium
Affected Versions: Neos from version 3.3 upwards
Fixed Versions: 5.3.10, 7.0.9, 7.1.7, 7.2.6, 7.3.4, 8.0.2
The notification module displaying flash messages unscapes HTML coming from the server, resulting in XSS vulnerabilities with various names and labels of entities (eg. workspace title or media title).
This however means you must be a logged in user with respective rights in the first place to leverage the attack vector.
Fixing the Issue
To fix the issue, you need to update neos/neos to the newest bugfix version.
Note: The last supported version for security fixes is Neos 5.3. If you are still using an earlier Neos version we urge you to update immediately anyway.
Make sure you have at least one of the following versions after updating:
- 5.3.10
- 7.0.9
- 7.1.7
- 7.2.6
- 7.3.4
- 8.0.2
Credits
Thanks to Nina Wagner of it.sec GmbH who reported the issue to us. And to Christian Müller for fixing it!
Getting Help
In case you are unsure about the issue, don’t hesitate to contact the Neos team on Slack (#neos-general) or through the other communication channels!
Related news
Multiple cross-site scripting (XSS) vulnerabilities in Neos CMS allow attackers with the editor role or higher to inject arbitrary script or HTML code using the editor function, the deletion of assets, or a workspace title. The vulnerabilities were found in versions 3.3.29 and 8.0.1 and could also be present in all intermediate versions.