CVE-2018-15847

Vulnerability

An issue was discovered in puppyCMS 5.1 where a stored cross-site scripting (XSS) vulnerability exists in the menu.php page. The vulnerability is located in the "Add Page/URL" form's URL link field. An authenticated administrator can inject arbitrary JavaScript code into the URL field, which is stored and later executed when the menu is rendered. The affected code path is in admin/menu.php around line 167 where the menu structure is displayed. The vulnerability requires the attacker to have administrative access to the CMS.

Exploitation

An attacker with administrative credentials logs in, navigates to "SETTINGS" and then to the menu management page (admin/menu.php). In the "Add Page/URL" section, the attacker inserts a malicious payload such as ' into the URL field and submits the form [1]. The payload is stored in the menu configuration. When any user (including other admins) views the menu page, the injected script executes in the context of the victim's browser.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any user who visits the affected menu page. This can lead to session hijacking, defacement, or theft of sensitive information. The attack is stored, meaning the payload persists and affects all subsequent visitors until removed.

Mitigation

As of the available reference [1], no official patch has been released for puppyCMS 5.1. The vendor has not addressed the issue. Users should consider upgrading to a newer version if available, or manually sanitize the URL input in the menu.php file. Alternatively, restrict access to the admin panel to trusted users only.