GHSA-6qjx-787v-6pxr

Suggest an improvement
Source
https://github.com/advisories/GHSA-6qjx-787v-6pxr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-6qjx-787v-6pxr/GHSA-6qjx-787v-6pxr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-6qjx-787v-6pxr
Aliases
Published
2023-05-26T13:56:26Z
Modified
2024-02-16T08:17:11.383893Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Craft CMS stored XSS in indexedVolumes
Details

Summary

XSS can be triggered via the Update Asset Index utility

PoC

  1. Access setting tab
  2. Create new assets
  3. In assets name inject payload: "<script>alert(26)</script>
  4. Click Utilities tab
  5. Choose all volumes, or volume trigger xss
  6. Click Update asset indexes.

XSS will be triggered

Json response volumes name makes triggers the payload

"session":{"id":1,"indexedVolumes":{"1":"\"<script>alert(26)</script>"},

It’s run on every POST request in the utility.

Resolved in https://github.com/craftcms/cms/commit/8c2ad0bd313015b8ee42326af2848ee748f1d766

References

Affected packages

Packagist / craftcms/cms

Package

Name
craftcms/cms
Purl
pkg:composer/craftcms/cms

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0-RC1
Fixed
4.4.6

Affected versions

4.*

4.0.0-RC1
4.0.0-RC2
4.0.0-RC3
4.0.0
4.0.0.1
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.5.1
4.0.5.2
4.0.6
4.1.0
4.1.0.1
4.1.0.2
4.1.1
4.1.2
4.1.3
4.1.4
4.1.4.1
4.2.0
4.2.0.1
4.2.0.2
4.2.1
4.2.1.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.5.1
4.2.5.2
4.2.6
4.2.7
4.2.8
4.3.0
4.3.1
4.3.2
4.3.2.1
4.3.3
4.3.4
4.3.5
4.3.6
4.3.6.1
4.3.7
4.3.7.1
4.3.8
4.3.8.1
4.3.8.2
4.3.9
4.3.10
4.3.11
4.4.0-beta.1
4.4.0-beta.2
4.4.0-beta.3
4.4.0-beta.4
4.4.0-beta.5
4.4.0-beta.6
4.4.0-beta.7
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5

Database specific

{
    "last_known_affected_version_range": "<= 4.4.5"
}