Piranha CMS Stored Cross-Site Scripting Vulnerability in Page Settings Module

A stored cross-site scripting vulnerability has been identified in Piranha CMS version 12.1, specifically within the Page Settings module. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the Excerpt field. The injected script is executed when the page is previewed or accessed publicly, exploiting the lack of proper input sanitization.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the victim's browser, potentially leading to the exposure of sensitive user information and abuse of trusted content rendered by the Piranha CMS frontend.

Reproduction

To reproduce this vulnerability, log into Piranha CMS with an account that has permission to create or edit pages. Navigate to the Page Editor and either create a new page or edit an existing one. Inject a JavaScript payload into the Excerpt field, which is located in the page settings. After saving the page, either preview it or publish it and access it publicly. The injected JavaScript will execute in the browser, demonstrating the stored cross-site scripting vulnerability.