Tendenci CMS Stored Cross-Site Scripting Vulnerability in Forums and Jobs Modules

A stored cross-site scripting vulnerability has been identified in the Forums and Jobs modules of Tendenci CMS version 15.3.7. This vulnerability allows attackers to inject arbitrary web scripts or HTML, which is then executed in the browsers of users who view the affected content. The injected scripts are permanently saved in the database and executed automatically, without any user interaction, impacting all users and administrators who access the content.

Impact

Exploitation of this vulnerability allows for mass cookie theft, as session cookies of all users viewing the content are stolen automatically. It also creates a persistent backdoor, as the attacker maintains access as long as the malicious content remains stored. Additionally, this vulnerability has the potential to spread self-replicating XSS across the application, especially when an administrator views the content, compromising their privileged session.

Reproduction

To reproduce this vulnerability in the Jobs module, navigate to the 'Add Job' form, inject a script payload into the 'Job title' field, and submit the form. The script will execute automatically for all users who view the job listing. In the Forums module, go to the 'New Topic' form, paste a script payload into the 'Subject' or 'Message' fields, and submit the topic. The injected script will run for anyone who views the forum category or the specific topic.

Remediation

To address this vulnerability, immediate actions are required, including output encoding of all user input before rendering, implementing server-side sanitization of HTML tags, and applying strict Content Security Policy headers. Additionally, existing databases should be scanned for malicious scripts and cleaned up.