Croogo CMS 1.2 Cross Site Scripting Vulnerabilities
Croogo CMS 1.2 stores contact form titles and subjects without sanitisation, allowing an attacker to inject HTML or JavaScript that executes in the administrator's browser when the message is viewed, enabling session theft.
CVSS Score
Severity
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Advisory
| Application | Croogo CMS |
| Vulnerable Versions | 1.2 and prior |
| Fixed In | 1.2.1 |
| Websec Advisory | WS10-07 |
Background
Croogo is a content management system built on CakePHP. The Contact module stores received messages in the database.
Description
The title and subject fields on the contact form are stored without sanitization. Attacker-supplied markup runs in the context of the administrator's browser when they view the message, enabling session theft and further pivoting into the admin panel.
Exploit / Proof of Concept
Submit the contact form with a malicious payload in the subject or title field. When the message is viewed in the admin panel, the payload executes.
Workaround
Upgrade to Croogo 1.2.1, or replace contacts_controller.php with the patched copy from Croogo's public repository.
Remediation
Upgrade to Croogo 1.2.1.