Stored XSS in Title in spinacms/spina
Reported on
Jun 28th 2023
Description
Spina's admin screen has an embedded XSS in the title of the page.
By embedding arbitrary JavaScript code in the function of Paguri, arbitrary scripts can be executed on the browser when the administrator user who accessed the page deletes the page.
Proof of Concept
Step 1. Access the admin screen and open a new page.
Step 2. Specify the following Payload in the title of the page and save it.
Step 3. Any embedded script (alert) will be executed on the confirmation screen when deleting a saved page.
Payload
'"><img src=x onerror=alert(document.domain)>
Parameter
page[en_content_attributes][0][title]
Privilege required for attack
Users who can log in to the administrator screen and edit pages
PoC Video
https://drive.google.com/file/d/1daQkxox9Y_U4pveMv24daeWUfA9u_vte/view?usp=sharing
Impact
Stored XSS vulnerabilities can lead to data theft, account compromise, and the distribution of malware.
Attackers can inject malicious scripts into a website, allowing them to steal sensitive information or hijack user sessions.
Additionally, stored XSS can result in website defacement and content manipulation, causing reputational damage.
It can also be used as a platform for launching phishing attacks, tricking users into revealing their credentials or sensitive data.
Occurrences
actions_component.html.erb L42-L43
As a workaround, properly sanitize the page title output when deleting a page.
Thank you for finding this! This is easily fixed by sanitizing the title on that delete button, but perhaps it's better to prevent storing this in the db in the first place right?
@bramjetten, Hello
The workaround is to sanitize the title that is displayed when deleting a page.
For further improvement, it is also recommended to validate so that strings containing symbols etc. cannot be specified in the title.
Doesn't this apply to pretty much all input fields in Spina though?
Regarding input restrictions, it is recommended to have validation if there is a specific type. (URL, etc.)
For the time being, we recommend fixing this vulnerability as a top priority.
Thanks for the fix!
Could you please update the status of this report? Also, ask admin for permission to issue a CVE ID.
Not able mark as fixed for some reason. Button is broken it seems
Managed to mark it as fixed, had to get the correct sha :)