ReflectedXSS-ContentEditor.md

CVE-2024-13031 - Reflected XSS in content editor of Antabot White-Jotter 0.2.2

Description:

A reflected Cross-Site Scripting (XSS) vulnerability exists in authenticated content editing functionality in Antabot White-Jotter 0.2.2. It is immediately triggered after a valid XSS payload is input within the content editor.

Affected Component:

• Endpoint: /admin/content/editor
• Application Version: 0.2.2

Type of Vulnerability:

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Steps to Reproduce / PoC:

• For local testing, login to the backend and navigate to http://localhost:8443/admin/content/editor.
• Within the article content editor, input an XSS payload such as:

<img src="bad" onerror="alert(String.fromCharCode(88,83,83))"></img>

• Immediately after supplying an XSS payload within the editor, a reflected XSS would occur.

Root Cause:

The application fails to properly sanitize input fields used in the content editor. Specifically, attributes like onerror within HTML elements are not validated or escaped, allowing JavaScript code execution.

Mitigation Recommendations:

1. Input Validation and Sanitization:

   • Validate and sanitize all user input within the content editor to prevent injection of malicious code.
   • Use a trusted library, such as DOMPurify, to remove dangerous attributes and scripts.

2. Content Security Policy (CSP): Implement a CSP to limit the execution of inline JavaScript or restrict resource loading to trusted domains.

References:

• https://cwe.mitre.org/data/definitions/79.html
• https://github.com/Antabot/White-Jotter
• https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
• https://github.com/cure53/DOMPurify