Croogo CMS 1.3 'Contact' and 'User' Module HTML Injection
Croogo CMS 1.3 fails to sanitize user-supplied input in the Contact and User modules, letting attackers inject HTML and JavaScript that runs in an administrator's browser and enables session theft or UI redressing.
CVSS Score
Severity
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Advisory
| Application | Croogo CMS |
| Vulnerable Versions | 1.3 |
| Fixed In | 1.3.1 |
| Websec Advisory | WS10-08 |
Description
Croogo CMS is prone to HTML injection because it fails to sanitize user-supplied input. Attacker-supplied markup and script code run in the context of the affected browser, allowing session theft, UI redressing, or other client-side attacks.
Exploit / Proof of Concept
Inject HTML or JavaScript through:
- The
namefield in the user registration form (/users/add). - The
data[Comment][body]field on the "add a comment" form (/comments/add/).
The comment body is sanitized on storage, but the Tipsy tooltip library re-decodes the stored string, re-introducing the injection in the admin panel.
Workaround
Upgrade to Croogo 1.3.1, or apply the patch Websec submitted to the Croogo public repository.
Remediation
Upgrade to Croogo 1.3.1.