-
-
Save be4r/b5c48d97ef6726d3ee37f995ee5aac81 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Suggested description] | |
Yii2 Gii module up to version 2.2.4 allows for stored XSS vulnerability. | |
Some fields like Message Category (requires I18N enabled) in Model Generator, CRUD Generator or Form Generator, Author Name in Extension Generator, etc. are being cached without sanitisation of their contents when the Preview button is pressed. After revisiting said pages the cached content is being injected in the DOM without sanitisation. | |
This leads to a possibility of injecting malicious javascript in specified pages by placing it in said fields and caching it by pressing Preview button. On each consequent visit of specified pages malicious javascript will be loaded from server and executed in client's browser. | |
------------------------------------------ | |
[Vulnerability Type] | |
Cross Site Scripting (XSS) | |
------------------------------------------ | |
[Vendor of Product] | |
Yii Software | |
------------------------------------------ | |
[Affected Product Code Base] | |
Gii - <=2.2.4 | |
------------------------------------------ | |
[Affected Component] | |
affected web application page | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[Impact Denial of Service] | |
true | |
------------------------------------------ | |
[Impact Escalation of Privileges] | |
true | |
------------------------------------------ | |
[Attack Vectors] | |
Some fields like Message Category (requires I18N enabled) in Model Generator, CRUD Generator or Form Generator, Author Name in Extension Generator, etc. are being cached without sanitisation of their contents when the Preview button is pressed. This leads to possibility of injecting malicious javascript in specified pages by placing it in said fields and caching it by pressing Preview button. On each consequent visit of specified pages malicious javascript will be loaded from server and executed in client's browser. | |
------------------------------------------ | |
[Reference] | |
https://github.com/yiisoft/yii2-gii | |
https://www.yiiframework.com/doc/guide/2.0/en/start-gii | |
https://gist.github.com/be4r/b5c48d97ef6726d3ee37f995ee5aac81 | |
------------------------------------------ | |
[Discoverer] | |
Boris Kovalkov, security researcher at SolidLab Ltd. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there any upstream report? Did MITRE miss adding the two references you've listed here?