Description

A malicious actor is able to add a malicious payload as a new Page Title, and after every time any administrative user visits the /admin/pages route, the XSS payload is executed.

Proof of Concept

1;Create a new Page at the following route: /admin/pages/add. Use the following payload as the Page title: <script>alert("This Is An XSS POC");</script>, save with arbitrary url and content.

2; Save the new Page, upon saving the XSS payload get executed already.

3; Now, each time any administrative user visits the Pages admin menu at the /admin/pages route, the XSS payload gets executed.

Impact

The danger of the stored XSS is that malicious actor is able to gather session identifiers from any other admin user, who happens to browse the pages menu. The malicious actor can thus impersonate any other admin and act as them. Upon receiving this information, the Confidentiality of sessions is compromised.