Typemill Reflected Cross-Site Scripting Vulnerability in Login Error View

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in Typemill, a flat-file, Markdown-based CMS, in versions prior to 2.19.2. The issue resides in the login error view template, 'login.twig', where the 'username' value is echoed back without proper contextual encoding when authentication fails. This allows an attacker to execute scripts in the context of the login page.

Impact

Exploitation of this vulnerability allows for reflected Cross-Site Scripting, where an attacker can execute scripts in the victim's browser session.

Reproduction

To reproduce this vulnerability, send a POST request to the '/tm/login' endpoint with 'username' parameter containing a script payload, such as an alert script, and 'password' set to an incorrect value. The injected script will be executed in the context of the login page.

Remediation

Users are advised to update to Typemill version 2.19.2, where this vulnerability has been fixed. Additionally, ensure strict output encoding in the login process and sanitize any admin-accessible fields that are rendered as HTML.