Tendenci CMS Stored Cross-Site Scripting Vulnerability in Jobs and Forums Modules

A stored cross-site scripting vulnerability has been identified in the Jobs module of Tendenci CMS version 15.3.7. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload. The injected script is permanently saved in the database and executed automatically for all users who view the affected content, including administrators. The vulnerability also exists in the Forums module, affecting users who view the forum category or click on the topic.

Impact

Exploitation of this vulnerability allows for mass cookie theft, as session cookies of all users viewing the content are stolen automatically. It also creates a persistent backdoor, as the injected script remains in the database and executes every time the content is viewed. Additionally, if an administrator views the affected content, their privileged session is compromised.

Reproduction

To reproduce this vulnerability in the Jobs module, navigate to the 'Add Job' form, inject a script payload into the 'Job title' field, and submit the form. The script will execute automatically for all users who view the job listing. In the Forums module, the same can be done by injecting a script payload into the 'Subject' or 'Message' fields when creating a new topic. Once the topic is posted, the script will execute for all users who view the forum category or the specific topic.

Remediation

To address this vulnerability, it is crucial to implement output encoding for all user input before rendering it, using context-appropriate encoding. Input sanitization is also essential, including server-side allowlisting of HTML tags and removing dangerous attributes. Additionally, a strict Content Security Policy should be applied, along with security headers such as X-Content-Type-Options, X-Frame-Options, and X-XSS-Protection. For applications using the Django framework, enable auto-escaping in templates and review any uses of mark_safe(). Finally, scan the database for malicious scripts and remove any stored XSS payloads.