Headline
CVE-2023-44763: GitHub - sromanhu/CVE-2023-44763_ConcreteCMS-Arbitrary-file-upload-Thumbnail: ConcreteCMS v.9.2.1 is affected by Arbitrary File Upload vulnerability that allows Cross-Site Scriting (XSS) Stored.
** DISPUTED ** Concrete CMS v9.2.1 is affected by an Arbitrary File Upload vulnerability via a Thumbnail file upload, which allows Cross-Site Scripting (XSS). NOTE: the vendor’s position is that a customer is supposed to know that “pdf” should be excluded from the allowed file types, even though pdf is one of the allowed file types in the default configuration.
ConcreteCMS Stored XSS v.9.2.1****Author: (Sergio)
Description: ConcreteCMS v9.2.1 is affected by Arbitrary File Upload vulnerability which allows Cross-Site Scriting (XSS) stored.
Attack Vectors: A vulnerability in “Thumbnail” file upload sanitation allows you to upload a PDF / SVG /HTML file with hidden alert Cross-Site scripting (XSS).
POC:
When logging into the panel, we will go to the "Settings - Tags - Thumbnail off Dashboard Menu.
There is the payloads:
XSS PDF Payload:
It is an XSS payload generated with the JS2PDFInjector tool and a js payload that contains the following content:
Once uploaded, if we click on the link we can see the path where they are stored:
In the following image you can see the embedded code that executes the payload in the main web.
Additional Information:
https://www.concretecms.com/
https://owasp.org/Top10/es/A03_2021-Injection/
Related news
Concrete CMS v9.2.1 is affected by Arbitrary File Upload vulnerability via the Thumbnail file upload, which allows Cross-Site Scripting (XSS).