Grav <= 1.7.44 - Stored XSS (Authenticated) (CVE-2023-31506)

07 February 2024 - less than 1 min read time
Tags: CVE 0day XSS Grav CMS

Introduction

• CVE-ID: CVE-2023-31506
• Vulnerability Type: Stored Cross-Site Scripting (Authenticated)
• Affected Product Code Base: Grav 1.7.44 (or before)
• Affected Component: Affects the CMS text editor (e.g. articles on the main page).
• Attack Type: Remote
• Impact: A remote and authenticated attacker (editor role or permissions to publish), would manage to inject malicious JavaScript code in the form fields to be executed on the users or administrators of the application when accessing the article or another area of the application.
• Attack Vectors: To exploit the vulnerability, you need to be authenticated with a user with editor or publisher access.

Description

A remote and authenticated attacker (editor role or permissions to publish), would manage to inject malicious JavaScript code in the form fields to be executed on the users or administrators of the application when accessing the article or another area of the application.

Exploitation

In the following evidence, the payload used:

<isindex x="javascript:" onmouseover="alert('m3n0sd0n4ld')">

When saving, the application shows that there is a potential XSS, but has allowed the saving of the file:.

The following illustration, the victim’s browser is shown, in which the reload or access to the section is performed and the javascript code is executed.

Mitigation

• Perform strict server-side validation for all data entered by the user.
• Correctly escape or filter special characters, preventing them from being printable or executed.
• Filter or restrict entries with certain types of characters used in HTML/JavaScript in the different user input fields.

Timeline

• 17/04/2023 - The vendor is notified without response.
• 11/05/2023 - MITRE is notified and the CVE identifier is assigned.
• 07/02/2024 - MITRE is notified of the status, fulldisclosure is authorized.
• 09/02/2024 - NVD published the first details for CVE-2023-31506

Acknowledgments

We would like to thank MITRE CVE for their attention and speed in the procedures with the CVE identifier.

References

• Mitre - CVE-2023-31506
• OWASP - Cross Site Scripting
• OWASP - HTML Injection