Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross Site Scripting Vulnerability on "Menu Preferences" feature in Textpattern v4.8.1 #1495

Closed
luuthehienhbit opened this issue Jun 8, 2020 · 2 comments

Comments

@luuthehienhbit
Copy link

Expected behaviour

An authenticated malicious user can take advantage of a Stored XSS vulnerability in the "Menu Preferences" feature.

Impact

Commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.

Steps to reproduce

  1. Log into the Admin.
  2. Go to "Menu Preferences"
    image
  3. Click "Custom fields"
    image
  4. Insert payload to Fields name:
    '><details/open/ontoggle=confirm(1337)>
  5. Click Icon Textpattern:
    image
    image

Additional information

Textpattern version: 4.8.1

@Bloke Bloke closed this as completed in 8623928 Jun 8, 2020
@Bloke
Copy link
Member

Bloke commented Jun 8, 2020

Thank you for the report. Although it's a low-level vector (since the only people that can set Custom Field labels are Managing Editors and higher, whom should be inherently trusted), sanitizing the label is good practice as they're not supposed to contain any dubious characters.

This is now fixed in the upcoming 4.8.2 release in commit 8623928. Please test and ensure it has no unintended consequences.

@luuthehienhbit
Copy link
Author

Hi Bloke.
I will continue testing with your product.
You can a CVE ID assigned and reference change log to "UraSec Team" 👍
Thanks you!

Bloke added a commit that referenced this issue Jul 12, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants