Textpattern CMS Second-Order Cross-Site Scripting Vulnerability

A second-order cross-site scripting vulnerability has been identified in Textpattern CMS version 4.9.0. This issue arises from inadequate sanitization and contextual encoding of user-supplied input within Atom feed XML elements. Parameters controlled by users, such as category, are reflected in Atom fields like <id> and <link href> without proper XML escaping. Although the injected payload may not execute directly in modern browsers due to the XML context, it can run when the feed is processed by HTML-based feed readers, admin dashboards, or CMS aggregators that incorporate the feed content into the DOM using unsafe methods, such as innerHTML. This results in the execution of JavaScript in a trusted context, potentially leading to session hijacking, credential theft, and exploitation of supply-chain vulnerabilities by targeting administrative users and trusted systems.

Impact

Exploitation of this vulnerability allows for arbitrary execution of JavaScript in trusted admin interfaces, with potential consequences including session hijacking, theft of credentials, extraction of CSRF tokens, and compromise of supply-chain integrity through trusted feeds.

Reproduction

To reproduce this vulnerability, inject a malicious payload into the Atom feed parameters, such as the category parameter. The payload will be reflected in the Atom XML without proper escaping, confirming the injection vulnerability. When the feed is consumed by an administrator or through a vulnerable HTML-based feed reader, the JavaScript payload will execute in the context of the trusted application.

Remediation

Users are advised to update to Textpattern CMS version 4.9.1, which addresses this vulnerability.