Piranha CMS Stored Cross-Site Scripting Vulnerability in Media Module

A stored cross-site scripting vulnerability has been identified in the Media module of Piranha CMS version 12.1. This vulnerability allows authenticated users to execute arbitrary web scripts or HTML by injecting a crafted payload into the Name field of media folders. The application fails to properly sanitize user input, enabling the execution of malicious scripts when the folder entry is created or edited.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log in to Piranha CMS 12.1 as an authenticated user and navigate to the Media page. Create a new folder and inject a JavaScript payload into the Name field. After saving the folder, the injected script will execute, demonstrating the cross-site scripting vulnerability. This issue can also be reproduced by editing an existing folder with a malicious name and saving it without changes.