Craft CMS Reflected Cross-Site Scripting Vulnerability in Return URL Handling

A reflected cross-site scripting vulnerability has been identified in Craft CMS versions 4.15.3 through 4.17.2 and 5.7.5 through 5.9.6. The issue arises from inadequate sanitization of return URLs before they are stored in the session. Although a `strip_tags()` function was introduced to remove HTML tags, it fails to filter URL schemes. This oversight allows malicious payloads, such as `javascript:` URLs, to bypass the sanitization and execute scripts when the URL is rendered in an `href` attribute. The vulnerability is exploited by crafting a link with a harmful return URL that, once clicked, executes the embedded JavaScript in the context of the Craft CMS site.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute JavaScript in the context of the victim's browser session on the Craft CMS site. This could lead to session hijacking by stealing cookies, data exfiltration to an attacker-controlled server, phishing by redirecting to a fraudulent domain, or Cross-Site Request Forgery (CSRF) attacks by performing actions on behalf of the authenticated user.

Reproduction

To reproduce this vulnerability, create a link that includes a return URL parameter with a `javascript:` payload, such as `javascript:alert(document.cookie)`. When the link is clicked, the Craft CMS site will process the return URL. The `strip_tags()` function will remove any HTML tags but will not filter out the `javascript:` scheme. The URL will be stored in the session and later rendered in an `href` attribute. When the link is clicked again, the JavaScript payload will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to Craft CMS version 5.9.7 or 4.17.3, where this vulnerability has been fixed.