Headline
CVE-2022-39839: Stored XSS on forum · Issue #1661 · Cotonti/Cotonti
Cotonti Siena 0.9.20 allows admins to conduct stored XSS attacks via a forum post.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Closed
delyura opened this issue
Aug 30, 2022
· 4 comments
Closed
Stored XSS on forum #1661
delyura opened this issue
Aug 30, 2022
· 4 comments
Assignees
Comments
Hello, we found the stored xss on forum.
Tested on latest version 0.9.20.
Poc:
Create new topic with poll
XSS execute
This thing is available only to administrators. This is related to the HTML Purifier settings. Administrators have more permissions than regular users.
It is needed to disable JavaScript in HTMLPurifier somehow for admins too.
Alex300 added a commit that referenced this issue
Sep 4, 2022
<script> tags are disabled in HTMLPurifier for admins too
<script> tags are disabled in HTMLPurifier for admins too
<script> tags are disabled in HTMLPurifier for admins too
Creating blacklists is not best practice, you should use whitelist. For example, you disable the <script> tag, but the payload <img src=x onerror=alert(1)> will work.
For a comprehensive list, check out the DOMPurify allowlist.
Are you suggesting to make a whitelist with all possible valid options, except for the <script> tag :)?
but the payload <img src=x onerror=alert(1)>
Really? I can’t reproduce this case.
Moreover, this situation is only possible if administrator will save text with the XSS script. Regular users has more stricter HTMLPurifier settings.
2 participants