CVE-2015-5521

Vulnerability

BlackCat CMS 1.1.2 contains a stored cross-site scripting (XSS) vulnerability in the backend/groups/index.php endpoint. The name parameter when creating a new group is not properly sanitized before being rendered, allowing injection of arbitrary HTML or JavaScript code. Any authenticated user with access to the group creation form can exploit this. The issue is tracked on GitHub as issue #408 [1].

Exploitation

An attacker must first log into the BlackCat CMS administration panel. Then they navigate to /backend/groups/index.php and create a new group with a crafted name value, such as '" followed by a script payload. After saving the group, the malicious code is stored and will execute in the browser of any administrator who subsequently views the group list or management page. No additional user interaction is required beyond viewing the affected page [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. This can be used to steal cookies (allowing account hijacking), perform arbitrary requests impersonating the victim, prompt the user to download malware (leveraging the trust in the legitimate site), or deface the website by modifying its appearance [1]. The compromise is at the level of the affected administrative user's privileges.

Mitigation

The official fix was applied in a later commit to the BlackCatCMS repository, but no formal patched release version is mentioned in the reference [1]. Users should update to the latest available version from the vendor's GitHub repository. If immediate patching is not possible, administrators can restrict access to the group management page to only trusted users and validate or encode the name parameter server-side [1].