Dato CMS Web Previews Plugin Authenticated Iframe Injection Vulnerability

A vulnerability allowing authenticated users to inject iframes has been identified in the Dato CMS Web Previews plugin, affecting versions prior to 1.0.31. This issue arises from inadequate sanitization of parameters, which enables users to bypass restrictions on the designated frontend URL and load arbitrary external resources.

Impact

Exploitation of this vulnerability could lead to unauthorized loading of external resources, potentially allowing for further attacks such as cross-site scripting or other injection vulnerabilities, depending on the nature of the loaded content.

Reproduction

To reproduce this vulnerability, an authenticated user can manipulate the iframe source path by bypassing the default URL restrictions. This can be done by accessing the Web Previews plugin and injecting a URL that points to an external resource into the iframe, taking advantage of the lack of proper validation on the 'path' parameter.

Remediation

Users are advised to update to Dato CMS Web Previews version 1.0.31 or later, where this vulnerability has been addressed.