Daylight Studio Fuel CMS Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Daylight Studio Fuel CMS version 1.5.2. This vulnerability allows an attacker to escalate privileges by injecting malicious JavaScript into the /fuel/blocks/ and /fuel/pages components. The injected script is executed when the post is previewed, exploiting the text editor's preview feature.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the content.

Reproduction

To reproduce this vulnerability, log into Fuel CMS 1.5.2 and navigate to the blocks section. Create a new block and enter a payload, such as an image tag referencing a script hosted on a local PHP server, into the view field. After saving the block, click the 'Preview' button. The injected script will execute, demonstrating the XSS vulnerability.