GHSA-6j87-m5qx-9fqp
Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type
Details
A stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `Row Heading` column type. The application fails to sanitize input within row headings, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.
## Prerequisites * An administrator account * `allowAdminChanges` must be enabled in production, which is [against security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production).
## Steps to Reproduce 1. Navigate to **Settings** → **Fields** and create a new field with Type: **Table** 1. Add a **Column Heading** and set **Column Type** to `Row Heading` 1. In **Default Values** section, add a row with the following payload: ```html <img src=x onerror="alert('XSS')"> ``` 1. Enable `Static Rows` 1. Use the field in any object (e.g., user profile fields) → then visit any user’s profile 1. Notice the XSS execution
## Resources
https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a
Are you affected?
Enter the version of the package you're using.
Affected packages
4.5.0-beta.1 Fixed in: 4.16.19 composer require craftcms/cms:^4.16.19 5.0.0-RC1 Fixed in: 5.8.23 composer require craftcms/cms:^5.8.23 References
- https://github.com/craftcms/cms/security/advisories/GHSA-6j87-m5qx-9fqp [WEB]
- https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a [WEB]
- https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production [WEB]
- https://github.com/craftcms/cms [PACKAGE]
- https://github.com/craftcms/cms/releases/tag/4.16.19 [WEB]
- https://github.com/craftcms/cms/releases/tag/5.8.23 [WEB]