e107 CMS Reflected and Stored Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in e107 CMS version 3.2.1. This issue arises from a reflected XSS in the news comment feature, where authenticated users can inject malicious JavaScript via a URL parameter. The script executes when the user clicks outside the comment field. Additionally, there is a stored XSS vulnerability due to an upload restriction bypass for authenticated administrators. They can upload SVG files containing harmful code through the media manager's remote URL upload option, which is executed when the SVG files are accessed.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where an attacker can inject and execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce the reflected XSS vulnerability, an authenticated user can add a comment in the news section, injecting JavaScript into the comment field via the URL parameter. The script will execute after clicking outside the comment box. For the stored XSS vulnerability, an authenticated administrator can bypass upload restrictions by uploading an SVG file with embedded JavaScript through the media manager's remote URL upload feature. Once uploaded, the SVG file can be accessed, triggering the stored XSS.