{"id":17266,"date":"2021-09-30T16:29:16","date_gmt":"2021-09-30T14:29:16","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=17266"},"modified":"2022-05-02T11:43:03","modified_gmt":"2022-05-02T09:43:03","slug":"usd-2020-0105","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2020-0105\/","title":{"rendered":"usd-2020-0105"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

usd-2020-0105 | Themeco Cornerstone Editor<\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2020-0105<\/span>
Affected Product<\/strong>: Themeco Cornerstone Editor<\/span>
Affected Version<\/strong>: v7.2.3<\/span>
Vulnerability Type<\/strong>: Stored Cross-Site Scripting (Stored XSS)<\/span>
Security Risk<\/strong>: High<\/span>
Vendor URL<\/strong>: https:\/\/theme.co\/<\/a>
Vendor Status<\/strong>: Not fixed<\/span><\/em><\/p>\n

<\/span><\/p>\n

Description<\/h3>\n

The Themeco Cornerstone Editor is a WordPress plugin that offers a HTML WYSIWYG editor with a broad feature set.<\/p>\n

Authenticated users may create and edit X Theme frontend articles. In doing so, moderators can embed different content elements, including Classic Text<\/em>, Text<\/em> and more.<\/p>\n

The text<\/em> content element suffers from a stored Cross-Site Scripting (XSS) vulnerability, injected JavaScript is executed if a victim enters the \"Edit\" view of a prepared article as well as published blog posts. As this functionality is available for relatively low-privileged moderators, a malicious user could target higher privileged backend users with this XSS vulnerability.<\/p>\n

The described issue probably affects other content elements as well.<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

XSS inside Editor:<\/p>\n

1. Create a new article at https:\/\/vulnerablewebsite.com\/x\/#\/content<\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/09\/xss1.png\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_padding=\"0px||0px|||\" global_colors_info=\"{}\"]<\/p>\n

2. Create a Classic Text<\/em> element<\/p>\n

3. Choose \"<\/>\" to enter HTML and set the content to of the element to:<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" custom_margin=\"20px||20px||false|false\" global_colors_info=\"{}\"]<\/p>\n

&lt;script&gt;alert(document.domain)&lt;\/script&gt;<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_padding=\"0px|||||\" global_colors_info=\"{}\"]<\/p>\n

4. Observe that the JavaScript is executed<\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/09\/xss2-1.png\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_padding=\"0px|||||\" global_colors_info=\"{}\"]<\/p>\n

XSS in published article:<\/p>\n

1. Create a new article at https:\/\/vulnerablewebsite.com\/x\/#\/content<\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/10\/xss3-1_N.png\" title_text=\"xss3-1_N\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_padding=\"0px|||||\" global_colors_info=\"{}\"]<\/p>\n

2. Create a Classic Text<\/em> element<\/p>\n

3. Choose \"<\/>\" to enter HTML and set the content to of the element to:<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]<\/p>\n

<script>alert(document.domain)<\/script><\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

4. Observe that the JavaScript is executed<\/p>\n

[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2021\/09\/xss4-1.png\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.16\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

\n
\n

Fix<\/h3>\n
WordPress allows to assign different roles to backend users. Users with relatively low moderator privileges should only be allowed to insert text contents and at most harmless markup. Thus, it is recommended to sanitize and\/or encode user controlled contents in a context-aware manner.<\/div>\n

 <\/p>\n

<\/div>\n

References<\/h3>\n