Decap CMS Cross-Site Scripting Vulnerability
Vulnerability
A stored cross-site scripting vulnerability has been identified in Decap CMS versions through 3.8.3. The issue arises because input fields such as body, tags, title, and description are not adequately sanitized before being displayed in the content preview pane. This lack of proper sanitization allows an attacker to inject malicious JavaScript that executes when a user views the preview panel. The vulnerability impacts multiple input vectors and requires no user interaction beyond viewing the affected content.
Impact
Exploitation of this vulnerability allows for arbitrary JavaScript execution in the context of the user viewing the preview, with particularly severe consequences if an admin user is involved, potentially leading to session hijacking, credential theft, content defacement, or the injection of backdoors into statically generated websites.
Reproduction
To reproduce this vulnerability, a contributor must inject a malicious payload into a blog entry's input fields. Once the entry is saved, an editor or admin user can open the entry in the preview panel, where the injected JavaScript will execute in their browser context.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.