#xss

A post-authentication stored cross-site scripting vulnerability exists in Craft CMS versions <= 4.4.11. HTML, including script tags can be injected into field names which, when the field is added to a category or section, will trigger when users visit the Categories or Entries pages respectively.

skycaiji v2.5.4 is vulnerable to Cross Site Scripting (XSS). Attackers can achieve backend XSS by deploying malicious JSON data.

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in ArtistScope CopySafe Web Protection plugin <= 3.13 versions.

SCM Manager versions 1.2 through 1.60 suffer from a persistent cross site scripting vulnerability.

Zenphoto version 1.6 suffers from multiple persistent cross site scripting vulnerabilities.

WBCE CMS version 1.6.1 suffers from a cross site scripting vulnerability.

### Summary XSS can be triggered via the Update Asset Index utility ### PoC 1. Access setting tab 2. Create new assets 3. In assets name inject payload: "<script>alert(26)</script> 4. Click Utilities tab 5. Choose all volumes, or volume trigger xss 7. Click Update asset indexes. XSS will be triggered Json response volumes name makes triggers the payload "session":{"id":1,"indexedVolumes":{"1":"\"<script>alert(26)</script>"}, It’s run on every POST request in the utility. Resolved in https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766

### Summary XSS can be triggered by review volumes ### PoC 1. Access setting tab 2. Create new assets 3. In assets name inject payload: "<script>alert(1337)</script> 4. Click Utilities tab 5. Choose all volumes, or volume trigger xss 6. Click Update asset indexes. 7. Wait to assets update success. 8. Progress complete. 9. Click on review button will trigger XSS ### Root cause Function: index.php?p=admin/actions/asset-indexes/process-indexing-session&v=1680710595770 After loading completed, progess will load: "skippedEntries" and "missingEntries" These parameters is not yet filtered, I just tried "skippedEntries" but I think it will be work with "missingEntries" ### My reponse: { "session": { "id": 10, "indexedVolumes": { "6": "\"<script>alert(1337)</script>" }, "totalEntries": 2235, "processedEntries": 2235, "cacheRemoteImages": true, "listEmptyFolders": false, "isCli": false, "actionRequired": true, ...

### Summary A malformed RSS feed can deliver an XSS payload ### PoC Create an RSS widget and add the domain https://blog.whitebear.vn/file/rss-xss2.rss The XSS payload will be triggered by the title in tag `<item>` Resolved in https://github.com/craftcms/cms/commit/b77cb3023bed4f4a37c11294c4d319ff9f598e1f

### Summary The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. ### Details Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. ### PoC 1. Login at admin 2. Go to setting 3. Create a Section 4. On Entry page, click Edit label 5. Inject the XSS payload into the label and save 6. On the admin dashboard choose new widget -> Quick Post 7. In Quick Post, click save with blank slug; The XSS will be executed "errors":{"title":["<script>alert('nono')</script> cannot be blank."],"slug":["Slug cannot be blank."] Fixed in https://github.com/craftcms/cms/commit/9d0cd0bda7c8a830a3373f8c0f06943e519ac888