Statamic CMS Stored Cross-Site Scripting Vulnerability in HTML Fieldtype

A stored cross-site scripting vulnerability has been identified in Statamic CMS versions 5.73.8 and below, as well as 6.0.0-alpha.1 through 6.3.1. This vulnerability allows authenticated users with field management permissions to inject malicious JavaScript into HTML fieldtypes. The injected script executes when the content is viewed by users with higher privileges. The issue arises from insufficient sanitization of HTML input, enabling the injection of harmful scripts that can be exploited by manipulating field content.

Impact

Exploitation of this vulnerability allows for privilege escalation through the injection of malicious JavaScript that is executed in the context of higher-privileged users.

Reproduction

To reproduce this vulnerability, an authenticated user with field management permissions can inject JavaScript into an HTML fieldtype. This can be done by editing a field that allows HTML input and inserting a script tag with JavaScript code. Once the content is saved, the injected script will execute when the field is viewed by a user with higher privileges.

Remediation

Users can upgrade to Statamic CMS versions 6.3.2 or 5.73.9 to address this vulnerability.