Multiple stored XSS vulnerabilities were found in Craft CMS. They were split into 4 reports as follows:
| Report | What's Vulnerable | Why Separate |
|--------|-------------------|--------------|
| This Report (1) | Multiple settings names | Twig Template: _includes/forms/checkbox.twig |
| Report 2 | Entry Types Name | Twig Template: _includes/forms/editableTable.twig |
| Report 3 | Card Attributes in Field Layout | helpers/Cp.php |
| Report 4 (Commerce) | Product Type Name | Source in Commerce, sink in CMS - will report this one via Commerce GHSA |
Reports 2, 3, and 4 are clearly distinct locations. For this report (Report 1), it was not clear whether to split or consolidate these 7 bugs. The bug report was consolidated and the final categorization should be left to the judgement of the user.
Note: This overview is only in this Report. Other reports only reference this one.
Stored XSS in multiple settings. Names/labels are rendered without sanitization via checkbox.twig template which uses {{ label|raw }}.
| # | Source (injection point) | Sink (where payload reflects) |
| --- | ------------------------------------------------------------------------ | --------------------------------------------- |
| 1 | Section Name (/admin/settings/sections) | Entries field -> Sources checklist |
| 2 | Volume Name (/admin/settings/assets/volumes/{vol_id}) | Assets field -> Sources checklist |
| 3 | User Group Name (/admin/settings/users/groups) | Users field -> Sources, User permissions page |
| 4 | Global Set Name (/admin/settings/globals) | User permissions page |
| 5 | Generated Fields Name (Volumes, Users, etc.)...
4.17.0-beta.15.9.0-beta.1Exploitability
AV:NAC:LAT:NPR:NUI:PVulnerable System
VC:NVI:NVA:NSubsequent System
SC:LSI:LSA:N2.1/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P