[CVE-2017-17889] Kliqqi CMS – XSS Vulnerability in Version 3.5.2
Product Information:
Software: Kliqqi CMS
Tested Version: 3.5.2, released 11.01.2017
Vulnerability Type: Cross-Site Scripting (CWE-79)
Description: Kliqqi is a fork of Pligg CMS
Vulnerability description:
There are two Stored XSS and two DOM-based XSS.
To replicate Stored XSS(1):
- Create a user with normal or moderator rights
- Log into the user
- Navigate to /pligg/groups.php and create a new group with group name “ onmouseover=confirm(0) “
- Navigate back to /pligg/groups.php and hover cursor over the group’s avatar, the payload should trigger
To Replicate Stored XSS(2):
- Log in to the user
- Navigate to the user’s profile setting page (Top right drop down -> Profile -> Settings)
- Update the Homepage to javascript:alert(0) and save
- Upon saving, the updated value should show below the username
- Clicking on the URL triggers the payload
To replicate DOM-based XSS:
- Log in as normal user
- Navigate to /pligg/submit.php
- Enter
"><svg/onload=alert()>in Tags and the payload should trigger. - Remove the payload from Tags and add it in Description, the payload should trigger again.
Impact:
An attacker is able to inject malicious scripts into otherwise benign and trusted web sites. The malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can also rewrite the contents of a HTML page. The exploitation process is also made easy with BeEF (The Browser Exploitation Framework).
Solution:
The developer of Kliqqi CMS has moved on to a new project – Plikli CMS.
Plikli CMS v4.0 includes fix for the mentioned vulnerability in this advisory.
Timeline:
Vulnerability found: 24.12.2017
Vendor informed: 24.12.2017
Response by vendor: 24.12.2017
Fix by vendor: 03.01.2018
Patched version released: 22.04.2018
Public Advisory: 22.04.2018
References: