CVE-2023-50250, fixed in 1.2.26, can still be triggered with a non-empty file named "');alert(1);('".xml.
diff --git a/lib/functions.php b/lib/functions.php
index b053cdcfd..4441953d3 100644
--- a/lib/functions.php
+++ b/lib/functions.php
@@ -1050,8 +1050,8 @@ function raise_message($message_id, $message = '', $message_level = MESSAGE_LEVE
function raise_message_javascript($title, $header, $message) {
?>
<script type='text/javascript'>
- var mixedReasonTitle = DOMPurify.sanitize('<?php print $title;?>');
- var mixedOnPage = DOMPurify.sanitize('<?php print $header;?>');
+ var mixedReasonTitle = DOMPurify.sanitize(<?php print json_encode($title, JSON_THROW_ON_ERROR);?>);
+ var mixedOnPage = DOMPurify.sanitize(<?php print json_encode($header, JSON_THROW_ON_ERROR);?>);
sessionMessage = {
message: DOMPurify.sanitize('<?php print $message;?>'),
level: MESSAGE_LEVEL_MIXED
An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings.
Beuc Reporter
TheWitness Remediation developer
netniV Coordinator
Summary
CVE-2023-50250, fixed in 1.2.26, can still be triggered with a non-empty file named
"');alert(1);('".xml.Details
raise_message_javascriptfromlib/functions.phpnow uses purify.js to fix CVE-2023-50250 (among others).However it still generates the code out of unescaped PHP variables
$titleand$header.If those variables contain single quotes, they can be used to inject JavaScript code.
Fix suggestion to better explain what I mean:
PoC
Same as in GHSA-xwqc-7jc4-xm73 but with
"');alert(1);('".xml.Impact
An attacker exploiting this vulnerability could execute actions on behalf of other users. This ability to impersonate users could lead to unauthorized changes to settings.