Vvveb CMS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Vvveb CMS versions prior to 1.0.8.1. This issue arises in the comment submission process, where the author field is submitted by unauthenticated users on public post pages. The field is stored without proper sanitization and later rendered unsanitized in two different contexts. In the admin panel, the vulnerability allows arbitrary JavaScript execution in the admin's session by clicking a link in the comments moderation dashboard. On the public post page, the malicious script is executed in the browser of any visitor who clicks the Reply button on the affected comment, bypassing the need for admin interaction.

Impact

Exploitation of this vulnerability allows for arbitrary JavaScript execution in the context of the affected user's browser. This could lead to various malicious actions, such as defacing the rendered page, creating phishing overlays, logging keystrokes, redirecting to attacker-controlled sites, or delivering additional client-side payloads to users interacting with the malicious comment. The vulnerability persists until the comment is deleted.

Reproduction

To reproduce this vulnerability, submit a comment on a public post page using Vvveb CMS version prior to 1.0.8.1. Include a payload in the author field that exploits the XSS vulnerability, such as an image tag with an onerror event. Once the comment is submitted, it will be moderated in the admin panel, where clicking the author link will execute the JavaScript payload. Alternatively, visiting the public post page and clicking Reply on the malicious comment will trigger the JavaScript execution in the browser.

Remediation

To address this vulnerability, Vvveb CMS users should update to version 1.0.8.1 or later. Additionally, it is recommended to validate and sanitize the author field during comment submission, encode the author value when rendering in the admin panel and public post pages, and implement a Content-Security-Policy to block inline script execution.