GHSA-4mgv-366x-qxvx
Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options
상세
## Overview of all XSS Reports
Multiple stored XSS vulnerabilities were found in Craft CMS. They were split into **4 reports** as follows:
| Report | What's Vulnerable | Why Separate | |--------|-------------------|--------------| | **This Report (1)** | Multiple settings names | Twig Template: `_includes/forms/checkbox.twig` | | **Report 2** | Entry Types Name | Twig Template: `_includes/forms/editableTable.twig` | | **Report 3** | Card Attributes in Field Layout | `helpers/Cp.php` | | **Report 4 (Commerce)** | Product Type Name | Source in Commerce, sink in CMS - will report this one via Commerce GHSA |
Reports 2, 3, and 4 are clearly distinct locations. For this report (Report 1), it was not clear whether to split or consolidate these 7 bugs. The bug report was consolidated and the final categorization should be left to the judgement of the user.
**Note:** This overview is only in this Report. Other reports only reference this one.
--- ## Summary
Stored XSS in multiple settings. Names/labels are rendered without sanitization via `checkbox.twig` template which uses `{{ label|raw }}`.
--- ## Affected Sources
| # | Source (injection point) | Sink (where payload reflects) | | --- | ------------------------------------------------------------------------ | --------------------------------------------- | | 1 | Section Name (`/admin/settings/sections`) | Entries field -> Sources checklist | | 2 | Volume Name (`/admin/settings/assets/volumes/{vol_id}`) | Assets field -> Sources checklist | | 3 | User Group Name (`/admin/settings/users/groups`) | Users field -> Sources, User permissions page | | 4 | Global Set Name (`/admin/settings/globals`) | User permissions page | | 5 | Generated Fields Name (Volumes, Users, etc.) | Card Attributes checkboxes | | 6 | Checkboxes & Radio Buttons Field Option Label (`/admin/settings/fields`) | User profile pages | | 7 | Custom Sources Label (`/admin/users` -> Customize Sources) | Users field -> Sources checklist |
--- ## Proof of Concept
### Required Permissions (Attacker) - Admin access - `allowAdminChanges` is enabled in production, which is against our [security recommendations](https://craftcms.com/knowledge-base/securing-craft).
### Bugs 1-3: Section, Volume, User Group Names
1. Log in as admin. 2. Inject payload in one of these: - **Settings** -> **Sections** -> Create/edit section -> **Name** - **Settings** -> **Assets** -> **Volumes** -> Create/edit volume -> **Name** - **Settings** -> **Users** -> **User Groups** -> Create/edit group -> **Name** 3. Set **Name** to: ```html <img src=x onerror="alert('XSS')"> ``` 4. Save. 5. Go to **Settings** -> **Fields** -> Create new field. 6. To trigger the XSS payload: Set **Field Type** to "Entries" (for Sections), "Assets" (for Volumes), or "Users" (for User Groups). The alert fires when the Sources checkbox list renders.
**Note:** User Group Name also reflects on **User permissions page** under **User Groups** section (`/admin/users/{id}/permissions`).
---
### Bug 4: Global Set Name
1. Go to **Settings** -> **Globals** (`/admin/settings/globals`). 2. Create/edit a Global Set, set **Name** to payload. 3. Save. 4. Go to **Users** -> Edit any user -> **Permissions** tab (`/admin/users/{id}/permissions`). 5. Alert fires because our payload got rendered in the "Global Sets" permissions section without encoding/sanitization.
---
### Bug 5: Generated Fields Name
1. Go to **Settings** -> **Assets** -> **Volumes** -> Create/Edit a volume. 2. Scroll to **Generated Fields** section. 3. Add a field, set **Name** to payload: ```html <img src=x onerror="alert('XSS')"> ``` 4. Save & Notice the alert. The payload renders in the **Card Attributes** checkbox list below it.
---
### Bug 6: Checkboxes/Radio Buttons Option Label
1. Go to **Settings** -> **Fields** (`/admin/settings/fields`). 2. Create new field, set **Field Type** to "Checkboxes" or "Radio Buttons". 3. In **Field Options**, add an option with **Label** set to payload. 4. Save the field. 5. Go to **Settings** -> **Users** -> **User Profile Fields** (`/admin/settings/users/fields`). 6. Add the created field to the layout and save. 7. Alert fires on any user profile page (`/admin/users/{id}`).
---
### Bug 7: Custom Sources Label
1. Go to **Users** (`/admin/users`). 2. Click the three dots icon -> **Customize Sources**. 3. Create a new custom source, set **Label** to payload. 4. Save. 5. Go to **Settings** -> **Fields** -> Create new field. 6. Set **Field Type** to "Users". 7. Alert fires in the Sources checkbox list.
## Resources
https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276 https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
5.0.0-RC1 수정 버전: 5.9.0-beta.1 composer require craftcms/cms:^5.9.0-beta.1 4.0.0-RC1 수정 버전: 4.17.0-beta.1 composer require craftcms/cms:^4.17.0-beta.1