GHSA-g3hp-vvqf-8vw6

Details

Summary

A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute arbitrary JavaScript when another user views or edits a user's permissions.

[!NOTE] This is a separate vulnerability from the previously reported "Stored XSS via User Group Name in User Settings Page" and "Multiple Stored XSS in User Group Edit Page". This affects a different sink: the individual user's permissions page.

Proof of Concept

Required Permissions

Admin access
allowAdminChanges is enabled in production, which is against our security recommendations.

Steps to Reproduce

Log in to the control panel as an admin
Navigate to Settings → Users → User Groups
Create or edit a user group and set the Name field to:
```
<img src=x onerror="alert('XSS')" hidden>
```
Save the user group
Navigate to Users and edit any user (/admin/users/{id})
Click on the Permissions tab
XSS executes

Mitigation

Sanitize user group names when rendering in the user permissions template.

References

https://github.com/craftcms/cms-ghsa-4mgv-366x-qxvx/pull/2

Affected Packages

craftcms/cms

Packagist

Fixed in:

5.8.22

References

ADVISORY

https://github.com/advisories/GHSA-g3hp-vvqf-8vw6

PACKAGE

https://github.com/craftcms/cms

WEB

https://github.com/craftcms/cms/releases/tag/5.8.22

WEB

https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6