CVE-2022-37251: CVE-2022-37251 - Stored XSS in Drafts in Craft CMS

September 07, 20221. Vulnerability Properties

Title: Stored XSS in Drafts in Craft CMS
CVE ID: CVE-2022-37251
CVSSv3 Base Score: 8.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Vendor: Craft CMS
Products: Craft CMS
Advisory Release Date: 7 Sep 2022
Advisory URL: https://labs.integrity.pt/advisories/cve-2022-37251
Credits: Discovery by Gil Correia <gil.correia[at]devoteam.com>

2. Vulnerability Summary

For this vulnerability the attacker needs to create a new Entry, and a Draft inside the freshly created Entry.
After these steps, the XSS payload needs to be introduced in the “Draft name”. The reflection occurs in the “Apply draft” and in the “Save draft” functionality. Theres also a third reflection on the /admin/dashboard when the payload is already created and then added the “My Drafts” Widget to the dashboard.

3. Vulnerable Versions

• 4.2.0.1

4. Solution

• Update to version 4.2.1 or higher

5. Vulnerability Timeline

• 01/08/22 -Vulnerability reported to Craft CMS via their report page.
• 01/08/22 -Vulnerability verified by vendor.
• 01/08/22 -Vulnerability fixed by vendor
• 07/09/22 -Advisory released.

6. References

• https://github.com/craftcms/cms/commit/919c9074ff8596bf30a629b0888c529793e9a903

CVE-2022-37250 - Stored XSS in User Addresses Title in Craft CMS

CVE-2022-37720 (To Be Disclosed)

Latest Advisories

• CVE-2022-37251 - Stored XSS in Drafts in Craft CMS
• CVE-2022-37250 - Stored XSS in User Addresses Title in Craft CMS
• CVE-2022-37248 - Stored XSS in Field Layout in Craft CMS
• CVE-2022-37247 - Stored XSS in Fields in Craft CMS
• CVE-2022-37246 - DOM Stored XSS in Craft CMS

Latest Articles

• The Curious Case of Apple iOS IKEv2 VPN On Demand
• Gmail Android app insecure Network Security Configuration.
• Reviewing Android Webviews fileAccess attack vectors.
• Droidstat-X, Android Applications Security Analyser Xmind Generator
• Uber Hacking: How we found out who you are, where you are and where you went!