CVE-2023-29854

Vulnerability

DirCMS 6.0.0 has a Cross-Site Scripting (XSS) vulnerability in the foreground. The issue is located in the file /dircms/Core/Config/Routes.php at line 74, where client-submitted parameters are received and stored in the variable $m. This data is then passed to the setDefaultMethod function in /dircms/System/Router/RouteCollection.php, which outputs the unsanitized input directly, leading to the injection of arbitrary JavaScript [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP GET request to the vulnerable endpoint. The proof-of-concept URL is: /admin.php?c=module_search&dir=22222&m=show_indexqdspkdx3bt. The attacker does not need any special privileges, and the victim must be tricked into clicking the malicious link or the script can be triggered automatically if the attacker can inject it into a page viewed by other users [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The attack can be performed without authentication, making it a medium-severity threat [1].

Mitigation

As of the publication date (2023-04-18), no official patch or fixed version has been released for DirCMS 6.0.0. Users are advised to sanitize user input in the Routes.php file, specifically in the setDefaultMethod function, to prevent XSS. There is no known workaround available from the vendor. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].