Headline
CVE-2023-34452: Self Cross Site Scripting (XSS) in /forgot_password
Grav is a flat-file content management system. In versions 1.7.42 and prior, the “/forgot_password” page has a self-reflected cross-site scripting vulnerability that can be exploited by injecting a script into the “email” parameter of the request. While this vulnerability can potentially allow an attacker to execute arbitrary code on the user’s browser, the impact is limited as it requires user interaction to trigger the vulnerability. As of time of publication, a patch is not available. Server-side validation should be implemented to prevent this vulnerability.
Summary
The “/forgot_password” page has a self-reflected XSS vulnerability that can be exploited by injecting a script into the “email” parameter of the request. While this vulnerability can potentially allow an attacker to execute arbitrary code on the user’s browser, the impact is limited as it requires user interaction to trigger the vulnerability. Server-side validation should still be implemented to prevent this vulnerability.
Details
The reflected XSS vulnerability is present in the “/forgot_password” page of the web application. This vulnerability occurs when the application fails to properly sanitize user input before displaying it back to the user. An attacker can exploit this vulnerability by injecting malicious code (such as a script) into the input field on the “/forgot_password” page. When the user submits the form, the injected code is returned in the response (in notice message that user with this username does not exists) and executed on the user’s browser.
PoC
To demonstrate the vulnerability, you can perform the following steps:
- Intercept the POST request sent by the “/forgot_password” page using a tool like Burp Suite.
- Modify the value of the “email” parameter in the request to the following payload: <script>alert(“XSS”);</script>
- Forward the modified request to the server.
- The injected script should be returned in the response and executed on the user’s browser.
Impact
The impact of this vulnerability is limited, as it requires user interaction to trigger the vulnerability. While an attacker can potentially execute arbitrary code on the user’s browser, the impact of the vulnerability depends on the context in which it is exploited and the level of access that the attacker gains as a result. It is still recommended to fix this vulnerability as soon as possible to prevent any potential exploitation. Since client-side validation can be bypassed, server-side validation should be implemented to properly sanitize user input before using it in the application.
Edit:
The problem may have occurred somewhere during the handling of the mail during translation:
./classes/Controller.php: $messages->add($language->translate(['PLUGIN_LOGIN.FORGOT_USERNAME_DOES_NOT_EXIST’, $email]), ‘error’);