VDB
KO
LOW

GHSA-6j87-m5qx-9fqp

Craft CMS has Stored XSS in Table Field in its "Row Heading" Column Type

Details

A stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `Row Heading` column type. The application fails to sanitize input within row headings, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.

## Prerequisites * An administrator account * `allowAdminChanges` must be enabled in production, which is [against security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production).

## Steps to Reproduce 1. Navigate to **Settings** → **Fields** and create a new field with Type: **Table** 1. Add a **Column Heading** and set **Column Type** to `Row Heading` 1. In **Default Values** section, add a row with the following payload: ```html <img src=x onerror="alert('XSS')"> ``` 1. Enable `Static Rows` 1. Use the field in any object (e.g., user profile fields) → then visit any user’s profile 1. Notice the XSS execution

## Resources

https://github.com/craftcms/cms/commit/7b372de262b8d9d2ce859f32780c3715719b6f5a

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / craftcms/cms
Introduced in: 4.5.0-beta.1 Fixed in: 4.16.19
Fix composer require craftcms/cms:^4.16.19
Packagist / craftcms/cms
Introduced in: 5.0.0-RC1 Fixed in: 5.8.23
Fix composer require craftcms/cms:^5.8.23

References