icon

We found results for “

CVE-2021-25974

Date: November 10, 2021

Overview

In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a “publisher” role is able to inject and execute arbitrary JavaScript code while creating a page/article.

Details

A user with a “publisher” role is able to inject javascript while creating a page/article which assists in taking over the “admin” account.

PoC Details

In incognito mode, sign in to the application as Alice, which is a “publisher” role user.
Go to the “/admin/pages/new” endpoint and then create a page with malicious javascript payload. Publish it after putting a custom permalink. Copy the short URL generated.
On another window, login with the admin credentials and paste the short url. XSS will be triggered.

PoC Code

<script>alert(“xss”)</script>

Affected Environments

Publify versions 8.0 to 9.2.4

Prevention

Update to Publify version v9.2.5

Language: Ruby

Good to know:

icon

Cross-Site Scripting (XSS)

CWE-79
icon

Upgrade Version

Upgrade to version publify_core - 9.2.5

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privilegs Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information: