Publii CMS Persistent Cross-Site Scripting Vulnerability

A persistent cross-site scripting vulnerability has been identified in Publii CMS version 0.46.5 (build 17089). This issue arises from unsanitized input in configuration fields, such as 'Site Description' and various social media link fields in the footer section. An attacker can inject arbitrary JavaScript, which is then stored within the project and executed in the browsers of remote visitors accessing the generated static site.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the browsers of users visiting the affected static site, potentially leading to cookie or session theft, phishing attacks, keylogging, or other client-side attacks.

Reproduction

To reproduce this vulnerability, install Publii CMS version 0.46.5 (build 17089) and create a new website project. Access the admin panel and navigate to 'theme', then 'custom settings', and finally 'footer'. In the social media link fields, paste a JavaScript alert script into the link URL fields for platforms such as Instagram, LinkedIn, Pinterest, Vimeo, or YouTube. Save the settings and preview the site. Click on the social media button in the footer to trigger the execution of the injected script.