CVE-2017-17889

Vulnerability

Kliqqi CMS version 3.5.2 is vulnerable to multiple cross-site scripting (XSS) flaws. Two stored XSS exist: one via a crafted group name in pligg/groups.php and another via a crafted Homepage string in user profile settings. Additionally, two DOM-based XSS exist via crafted strings in the Tags and Description fields of pligg/submit.php. [1]

Exploitation

For stored XSS via group name, an attacker with normal or moderator rights creates a group with a malicious payload such as " onmouseover=confirm(0) ; hovering over the group's avatar triggers the script. For stored XSS via profile, the attacker sets the Homepage to javascript:alert(0); clicking the displayed URL triggers the payload. For DOM-based XSS, an attacker enters "><svg/onload=alert()> in either Tags or Description on the submit page, causing immediate execution. [1]

Impact

An attacker can inject arbitrary JavaScript into the application, leading to theft of cookies, session tokens, or other sensitive information retained by the browser. The malicious script can also rewrite page content. Exploitation is facilitated by frameworks like BeEF. [1]

Mitigation

The original Kliqqi CMS project has been superseded by Plikli CMS. The fix for these vulnerabilities is included in Plikli CMS version 4.0, released on 22 April 2018. Users should upgrade to Plikli CMS 4.0 or later. No other workarounds are documented. [1]