Brave CMS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Brave CMS version 2.0. Content entered through the CKEditor rich-text editor is saved directly in the database and rendered using Laravel Blade's unescaped output directive. This allows any JavaScript or HTML injected by a user with editor privileges to be permanently stored and executed in the browsers of all visitors when the page is loaded. The vulnerability has been patched in a later commit.

Impact

Exploitation of this vulnerability allows for the theft of session cookies from users who visit the affected page, potentially leading to unauthorized access to their accounts. If an administrator's cookies are stolen, the attacker can gain full control over the CMS. Additionally, any injected scripts can become persistent and replicate across all published content.

Reproduction

To reproduce this vulnerability, log into the Brave CMS dashboard as an author. Navigate to the 'Create Article' or 'Create Page' section. Intercept the request and modify the CKEditor body field to include a payload, such as an image tag with an 'onerror' attribute that fetches data from an external server. Once the form is submitted, the injected HTML is stored in the database without any sanitization. When the article or page is viewed, the script executes in the browser, sending cookies to the attacker's server.

Remediation

Replace the unescaped output directive with a safe alternative, such as using an allowlist-based HTML purifier. This fix should be applied to all affected templates and any other instances where user-supplied data is output without proper sanitization.