Craft CMS Stored Cross-Site Scripting Vulnerability in Table Field Component

A stored cross-site scripting vulnerability has been identified in Craft CMS versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22. The issue arises in the 'editableTable.twig' component when the 'html' column type is used. The vulnerability exists because the application does not properly sanitize input, allowing an attacker to inject arbitrary JavaScript that is executed when another user views a page containing the affected table field. To exploit this vulnerability, an attacker must have an administrator account and the 'allowAdminChanges' setting must be enabled in production, which contradicts Craft's security guidelines.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected content.

Reproduction

To reproduce this vulnerability, an administrator must create a new table field and add a column with the 'html' type, which is not available in the UI but can be manually set. After intercepting the request to save the field, the column type can be changed to 'html' before forwarding the request. Once the field is saved, injecting a script payload, such as an image tag with an 'onerror' event, will execute the script when the field is viewed or edited.

Remediation

Users can update to Craft CMS versions 4.16.19 or 5.8.23, where this vulnerability has been patched.