Vvveb CMS Unauthenticated Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Vvveb CMS versions prior to 1.0.8.2. This vulnerability allows unauthenticated attackers to execute arbitrary JavaScript in the context of the Vvveb origin. The issue arises in the visual editor preview renderer, where the 'isEditor()' function fails to perform proper session, role, or token verification. Instead, it only checks for the presence of a query parameter. As a result, attackers can manipulate the 'r' query parameter and the '_component_ajax' POST parameter to inject malicious scripts, which are then executed by victims when they interact with the editor preview.

Impact

Exploitation of this vulnerability allows for full client-side code execution in the context of the victim, with potential consequences including session hijacking, account takeover, phishing, cross-site action forgery, and the establishment of persistent footholds through backdoor plugins.

Reproduction

To reproduce this vulnerability, send an unauthenticated POST request to the Vvveb CMS editor preview endpoint. Include the 'r' query parameter and the '_component_ajax' POST parameter with a crafted JavaScript payload, such as a script tag containing an alert. The injected script will be executed when the response is rendered in a browser.

Remediation

Users can update to Vvveb CMS version 1.0.8.2 or later, where this vulnerability has been patched.