CVE-2023-46744

{"id": "CVE-2023-46744", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2023-11-07T18:15:09.600", "references": [{"url": "https://github.com/Squidex/squidex/security/advisories/GHSA-xfr4-qg2v-7v5m", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Squidex/squidex/security/advisories/GHSA-xfr4-qg2v-7v5m", "tags": ["Exploit", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Squidex is an open source headless CMS and content management hub. In affected versions a stored Cross-Site Scripting (XSS) vulnerability enables privilege escalation of authenticated users. The SVG element filtering mechanism intended to stop XSS attacks through uploaded SVG images, is insufficient resulting to stored XSS attacks. Squidex allows the CMS contributors to be granted the permission of uploading an SVG asset. When the asset is uploaded, a filtering mechanism is performed to validate that the SVG does not contain malicious code. The validation logic consists of traversing the HTML nodes in the DOM. In order for the validation to succeed, 2 conditions must be met: 1. No HTML tags included in a \"blacklist\" called \"InvalidSvgElements\" are present. This list only contains the element \"script\". and 2. No attributes of HTML tags begin with \"on\" (i.e. onerror, onclick) (line 65). If either of the 2 conditions is not satisfied, validation fails and the file/asset is not uploaded. However it is possible to bypass the above filtering mechanism and execute arbitrary JavaScript code by introducing other HTML elements such as an <iframe> element with a \"src\" attribute containing a \"javascript:\" value. Authenticated adversaries with the \"assets.create\" permission, can leverage this vulnerability to upload a malicious SVG as an asset, targeting any registered user that will attempt to open/view the asset through the Squidex CMS."}, {"lang": "es", "value": "Squidex es un centro de gesti\u00f3n de contenidos y CMS headless de c\u00f3digo abierto. En las versiones afectadas, una vulnerabilidad de Cross-Site Scripting (XSS) Almacenado permite la escalada de privilegios de los usuarios autenticados. El mecanismo de filtrado de elementos SVG destinado a detener los ataques XSS a trav\u00e9s de im\u00e1genes SVG cargadas es insuficiente, lo que resulta en ataques XSS almacenados. Squidex permite a los contribuyentes de CMS obtener permiso para cargar un activo SVG. Cuando se carga el activo, se realiza un mecanismo de filtrado para validar que el SVG no contenga c\u00f3digo malicioso. La l\u00f3gica de validaci\u00f3n consiste en recorrer los nodos HTML en el DOM. Para que la validaci\u00f3n se realice correctamente, se deben cumplir 2 condiciones: 1. No hay etiquetas HTML incluidas en una \"lista negra\" llamada \"InvalidSvgElements\". Esta lista s\u00f3lo contiene el elemento \"script\". y 2. Ning\u00fan atributo de las etiquetas HTML comienza con \"on\" (es decir, onerror, onclick) (l\u00ednea 65). Si alguna de las 2 condiciones no se cumple, la validaci\u00f3n falla y el archivo/activo no se carga. Sin embargo, es posible omitir el mecanismo de filtrado anterior y ejecutar c\u00f3digo JavaScript arbitrario introduciendo otros elementos HTML como un elemento con un atributo \"src\" que contenga un valor \"javascript:\". Los adversarios autenticados con el permiso \"assets.create\" pueden aprovechar esta vulnerabilidad para cargar un SVG malicioso como activo, dirigido a cualquier usuario registrado que intente abrir/ver el activo a trav\u00e9s del CMS Squidex."}], "lastModified": "2024-11-21T08:29:12.707", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:squidex.io:squidex:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2DB62C9E-522C-455C-B84A-2B2C4A48806F", "versionEndIncluding": "7.8.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}