ApostropheCMS Stored Cross-Site Scripting Vulnerability in Color Field Module

A stored cross-site scripting vulnerability has been identified in ApostropheCMS versions 4.28.0 and prior, specifically within the '@apostrophecms/color-field' module. The issue arises because color values that begin with '--' can bypass the TinyColor validation meant for CSS custom properties. Additionally, the 'launder.string()' function only coerces data types without removing HTML metacharacters. As a result, these unsanitized color values are directly added to <style> tags, both in individual widget styles visible to all visitors and in the global stylesheet accessed by editors. This vulnerability allows an editor to inject a script that, when executed, could hijack sessions, steal cookies, and escalate privileges to gain administrative control, especially if an admin views the draft content.

Impact

Exploitation of this vulnerability leads to stored cross-site scripting, where injected scripts execute in the context of the user visiting the affected page. This could result in mass session hijacking, cookie theft, and unauthorized administrative access on the CMS, particularly if an admin is viewing draft content.

Reproduction

To reproduce this vulnerability, log into an ApostropheCMS instance as an editor. Create or update a page with a widget that uses a color field in its styles configuration. Inject a color value that starts with '--' to bypass validation, followed by a script payload, such as JavaScript code that steals cookies. Once the page is published, the injected script will execute in the browsers of all visitors.

Remediation

Users can update to ApostropheCMS version 4.29.0, where this vulnerability has been fixed.