Source: security-advisories@github.com
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field. In order to exploit the vulnerability, an attacker must have an administrator account, and `allowAdminChanges` must be enabled in production, which is against Craft's security recommendations. Versions 4.16.19 and 5.8.23 patch the issue.
Craft CMS is vulnerable to a stored cross-site scripting (XSS) attack, allowing attackers with administrative access to inject malicious JavaScript into web pages. This vulnerability, present in versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, could lead to account compromise and data theft if exploited successfully.
Step 1: Account Compromise (Prerequisite) An attacker must first obtain administrative access to the Craft CMS instance. This could involve brute-forcing credentials, exploiting other vulnerabilities, or social engineering.
Step 2: Payload Injection The attacker, logged in as an administrator, navigates to a section within Craft CMS where the editableTable.twig component is used, likely within a content entry or custom field configuration.
Step 3: Malicious Input The attacker enters a crafted HTML payload containing JavaScript code (e.g., <script>alert('XSS')</script>) into a field using the html column type within the editable table.
Step 4: Payload Storage The attacker saves the content entry or field configuration, storing the malicious JavaScript payload in the Craft CMS database.
Step 5: Victim Interaction When a legitimate user with appropriate permissions views the page or content entry containing the malicious table field, the Craft CMS application retrieves the stored data from the database.
Step 6: Payload Execution The application renders the content, including the attacker's injected JavaScript. Because the input was not properly sanitized, the JavaScript executes in the victim's browser, allowing the attacker to perform actions such as stealing cookies, redirecting the user, or defacing the website.
The vulnerability stems from a lack of proper input sanitization within the editableTable.twig component of Craft CMS when handling the html column type. Specifically, the application fails to escape or filter user-supplied HTML input before rendering it on the page. This allows an attacker to inject arbitrary JavaScript code, which is then executed in the context of other users' browsers when they view the affected page. The root cause is a missing or inadequate implementation of HTML escaping or sanitization functions within the template rendering process for the html column type. This allows malicious code to be stored in the database and subsequently displayed without proper filtering, leading to XSS.
While no specific APT groups are directly linked to this CVE, XSS vulnerabilities are commonly exploited by various threat actors. The impact of successful exploitation (account takeover, data theft) makes it attractive for both financially motivated and state-sponsored actors. This CVE is not listed in the CISA KEV database.
Review web server logs for suspicious HTTP requests containing JavaScript payloads (e.g., <script>, onerror, onload).
Monitor database entries for unexpected HTML tags or JavaScript code within fields using the html column type.
Implement a Web Application Firewall (WAF) with rules to detect and block XSS attempts.
Use a Content Security Policy (CSP) to restrict the execution of inline JavaScript and external scripts.
Conduct regular vulnerability scans of the Craft CMS instance.
Monitor user activity for unusual behavior, such as changes to content or settings by administrators.
Upgrade to Craft CMS version 4.16.19 or 5.8.23 or later to patch the vulnerability.
If upgrading is not immediately possible, implement a Web Application Firewall (WAF) with rules to filter and sanitize user input before it reaches the application.
Review and harden the Craft CMS configuration, ensuring that allowAdminChanges is disabled in production environments.
Implement a Content Security Policy (CSP) to mitigate the impact of XSS attacks.
Regularly back up the Craft CMS database and files.
Educate administrators on secure coding practices and the dangers of XSS vulnerabilities.