Statamic Core Cross-Site Scripting Vulnerability in User Management

A cross-site scripting (XSS) vulnerability has been identified in Statamic Core versions prior to 2.11.8, specifically within the '/users' endpoint. This issue allows an attacker to inject a JavaScript payload into a username during account registration, which is then stored and reflected in the '/users' endpoint. Additionally, the vulnerability can be exploited through cross-site request forgery (CSRF) by injecting an XSS payload via a GET request to the '/users' endpoint.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, register a new user account and inject a JavaScript payload into the username field. Once the account is created, the injected script will be executed, demonstrating the stored XSS. Alternatively, send a GET request to the '/users' endpoint with an XSS payload in the 'PATH_INFO', which will reflect the script injection immediately, showcasing reflected XSS.

Remediation

Users are advised to update Statamic Core to version 2.11.8 or later, where this vulnerability has been fixed.