Headline
CVE-2022-26144: 0029688: CVE-2022-26144: XSS in manage_plugin_page.php and manage_plugin_uninstall.php
An XSS issue was discovered in MantisBT before 2.25.3. Improper escaping of a Plugin name allows execution of arbitrary code (if CSP allows it) in manage_plugin_page.php and manage_plugin_uninstall.php when a crafted plugin is installed.
dregad
2022-02-26 01:58
developer ~0066307
CVE-2022-26144 assigned
atrol
2022-02-26 05:25
developer ~0066308
We are executing arbitrary plugin code that can’t be controlled by us, as there is no sandbox concept for plugins.
This means that you have to trust the whole plugin code.
@dregad not sure I am missing something.
Do you confirm that preventing the output of a crafted plugin name is just a minor security measure and not a hurdle for the real bad guys?
dregad
2022-03-01 02:26
developer ~0066316
This means that you have to trust the whole plugin code.
Yes of course, there is always such a risk when executing foreign code in your environment.
Actually this XSS is a regression that I introduced with MantisBT master 11a6d0de (see 0026142) so I thought it should at least be corrected (the vulnerability it was originally fixed in 0012231).
preventing the output of a crafted plugin name is just a minor security measure
That’s exactly what this is.
not a hurdle for the real bad guys
Not really sure what you mean by that though…
atrol
2022-03-01 16:40
developer ~0066317
Not really sure what you mean by that though…
Attackers (bad guys) don’t rely on the non-sanitized plugin name to inject code.
It’s an easy job for them to find / use one of many other available options to execute malicious code in a plugin.
Related news
Stored XSS viva .svg file upload in GitHub repository causefx/organizr prior to 2.1.1810. This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.
Stored XSS in the "Username" & "Email" input fields leads to account takeover of Admin & Co-admin users in GitHub repository causefx/organizr prior to 2.1.1810. Account takeover and privilege escalation
Multiple Stored XSS in GitHub repository causefx/organizr prior to 2.1.1810. This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.
Stored XSS due to no sanitization in the filename in GitHub repository causefx/organizr prior to 2.1.1810. This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.
SQL injection in ElementController.php in GitHub repository pimcore/pimcore prior to 10.3.5. This vulnerability is capable of steal the data