GreenCMS Stored Cross-Site Scripting Vulnerability in Menu Management Component

A stored cross-site scripting vulnerability has been identified in GreenCMS version 2.3.0603. The issue arises from inadequate input sanitization in the 'Link' parameter of the menu management feature within the administration panel. Although the 'htmlspecialchars()' function is applied, the omission of the 'ENT_QUOTES' flag fails to escape single quotes, allowing authenticated attackers to inject malicious JavaScript by manipulating the attribute with a single quote and adding an event handler. This vulnerability only impacts unsupported products.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the menu, potentially leading to session hijacking, credential theft, unauthorized administrative actions, or website defacement.

Reproduction

To reproduce this vulnerability, log into the GreenCMS admin panel and navigate to 'Custom Management' then 'Menu Management'. Create or edit a menu item and insert a payload, such as a JavaScript URL followed by a single quote to close the attribute, into the 'Link' parameter. Save the menu item and then view it on the frontend to trigger the cross-site scripting payload.

Remediation

Replace the vulnerable input sanitization code in '/Admin/Controller/CustomController.class.php' with 'htmlspecialchars($link, ENT_QUOTES)' to properly escape single quotes. Additionally, consider implementing a Content Security Policy, validating URL formats, using prepared statements for database operations, and conducting regular security audits.