Unisite CMS Stored Cross-Site Scripting Vulnerability Leading to Remote Code Execution

A stored Cross-Site Scripting vulnerability has been identified in Unisite CMS version 5.0, specifically within the 'Report' feature. This vulnerability allows an attacker to inject a malicious script that is executed in the admin panel when viewed by an administrator. Exploitation of this issue could hijack the admin session, and using the template editor, upload and execute a PHP web shell on the server, resulting in full remote code execution.

Impact

Successful exploitation allows for full administrative access, execution of arbitrary commands on the server, and potential persistence through uploaded backdoors.

Reproduction

To reproduce this vulnerability, an attacker must submit a report containing a malicious script through the public 'Report' form. Once submitted, an administrator must view the report in the admin dashboard, which will trigger the execution of the script in the context of the admin's browser. This execution can capture the admin session cookie, allowing the attacker to log into the admin panel. After gaining access, the attacker can inject PHP code into a template file via the template editor, which can then be executed through an uploaded web shell.

Remediation

As of now, no official patch is available from the vendor. However, it is recommended to sanitize and escape all user input rendered in the admin panel, avoid displaying untrusted HTML or JavaScript, enforce a strict Content Security Policy, and limit access to sensitive features like the template editor.