Posted on

[CVE-2017-17889] Kliqqi CMS - XSS Vulnerability in Version 3.5.2


Product Information:

Software: Kliqqi CMS

Tested Version: 3.5.2, released 11.01.2017

Vulnerability Type: Cross-Site Scripting (CWE-79)

Description: Kliqqi is a fork of Pligg CMS


Vulnerability description:

There are two Stored XSS and two DOM-based XSS.

To replicate Stored XSS(1):

  1. Create a user with normal or moderator rights
  2. Log into the user
  3. Navigate to /pligg/groups.php and create a new group with group name “ onmouseover=confirm(0) “
  4. Navigate back to /pligg/groups.php and hover cursor over the group’s avatar, the payload should trigger

To Replicate Stored XSS(2):

  1. Log in to the user
  2. Navigate to the user’s profile setting page (Top right drop down -> Profile -> Settings)
  3. Update the Homepage to javascript:alert(0) and save
  4. Upon saving, the updated value should show below the username
  5. Clicking on the URL triggers the payload

To replicate DOM-based XSS:

  1. Log in as normal user
  2. Navigate to /pligg/submit.php
  3. Enter "><svg/onload=alert()> in Tags and the payload should trigger.
  4. Remove the payload from Tags and add it in Description, the payload should trigger again.

Impact:

An attacker is able to inject malicious scripts into otherwise benign and trusted web sites. The malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can also rewrite the contents of a HTML page. The exploitation process is also made easy with BeEF (The Browser Exploitation Framework).


Solution:

The developer of Kliqqi CMS has moved on to a new project - Plikli CMS.

Plikli CMS v4.0 includes fix for the mentioned vulnerability in this advisory.


Timeline:

Vulnerability found: 24.12.2017

Vendor informed: 24.12.2017

Response by vendor: 24.12.2017

Fix by vendor: 03.01.2018

Patched version released: 22.04.2018

Public Advisory: 22.04.2018


References:

https://www.plikli.com/download-plikli/