NukeViet CMS: Stored Cross-Site Scripting (XSS) via insufficient server-side input sanitization in Request class
Description
Impact
NukeViet CMS <= 4.5.08 contains a Stored Cross-Site Scripting (XSS) vulnerability caused by insufficient server-side input sanitization in the Request class. The application relies primarily on client-side filtering to sanitize HTML tags and attributes in user-submitted content, which can be bypassed by intercepting and modifying HTTP requests directly (e.g., using Burp Suite).
This affects any module or functionality that accepts user HTML input through the Request class. An attacker can inject malicious payloads such as <iframe srcdoc="<img src=1 onerror=alert(document.cookie)>"></iframe>, which are stored server-side and executed in the browser of any user who views the content.
Who is impacted: - Administrators and moderators who view user-submitted content (e.g., contact messages, comments, or any module using the Request class for HTML input). - The Contact module was used as a proof of concept, but the vulnerability is not limited to this module. - No authentication is required to exploit this vulnerability, making it accessible to any anonymous visitor.
Potential impact includes: - Session hijacking via cookie theft (for non-HttpOnly cookies) - Performing actions on the application under the victim's identity - Defacement or redirection to phishing pages - Phishing attacks via manipulated email notifications
Patches
This vulnerability has been fixed in NukeViet 4.5.08. Users should upgrade to version >= 4.5.08.
Workarounds
- Implement server-side HTML sanitization in the Request class to strip or encode dangerous tags and attributes (e.g.,
<iframe>,srcdoc, event handlers such asonerror,onload). - Apply a Content Security Policy (CSP) header to restrict inline script execution.
- Ensure cookies are set with the
HttpOnlyflag to mitigate cookie theft via XSS.
Resources
- Affected source: https://github.com/nukeviet/nukeviet/blob/nukeviet4.5/modules/contact/funcs/main.php
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): https://cwe.mitre.org/data/definitions/79.html
Affected products
1Patches
12a0860fbe22eFix XSS vulnerability in the request class
2 files changed · +27 −3
CHANGELOG.txt+1 −0 modified@@ -4,6 +4,7 @@ NUKEVIET 4.5.08 - Remove abandoned package true/punycode - Remove the and/oauth package, which has long been unmaintained, and replace it with league/oauth2-client - Remove SDK of social network like/share button tools and replace with pure HTML/JS +- Fix XSS bug. Thanks Nguyễn Quang Bằng from WhiteHub#4394 NUKEVIET 4.5.07 - CKEditor 5 v47.0.0 and remove CKEditor 4
vendor/vinades/nukeviet/Core/Request.php+26 −3 modified@@ -156,6 +156,12 @@ class Request 'data' => ['object'] ]; + /** + * Các attribute có giá trị là nội dung HTML (cần lọc đệ quy qua filterTags()). + * VD: srcdoc của <iframe> có thể chứa HTML với event handler nguy hiểm (XSS). + */ + protected $htmlContentAttributes = ['srcdoc']; + /** * Các attr bị cấm, sẽ bị lọc bỏ. * - Tất cả các arrt bắt đầu bằng on @@ -170,7 +176,8 @@ class Request 'allownetworking', // Control a SWF file’s access to network functionality by setting the allowNetworking parameter = internal 'allowscriptaccess', // Loại bỏ điều khiển cho phép javascript trong embed, tự động đặt = never 'fscommand', // attacker can use this when executed from within an embedded Flash object - 'seeksegmenttime' // this is a method that locates the specified point on the element’s segment time line and begins playing from that point. The segment consists of one repetition of the time line including reverse play using the AUTOREVERSE attribute. + 'seeksegmenttime', // this is a method that locates the specified point on the element’s segment time line and begins playing from that point. The segment consists of one repetition of the time line including reverse play using the AUTOREVERSE attribute. + 'ping' // HTML5 <a ping> sends POST to arbitrary URL on click - SSRF/tracking vector ]; private $disablecomannds = [ @@ -787,6 +794,21 @@ private function filterAttr($attrSet, $tagName, &$isvalid) $value = $this->unhtmlentities($attrSubSet[1]); + /* + * Lọc đệ quy attribute có giá trị là nội dung HTML (VD: srcdoc của iframe) + */ + if (in_array($attrSubSet[0], $this->htmlContentAttributes, true)) { + $htmlValid = true; + $decodedValue = html_entity_decode($value, ENT_QUOTES | ENT_HTML5, 'UTF-8'); + $filteredHtml = $this->filterTags($decodedValue, $htmlValid); + if (!$htmlValid) { + $isvalid = false; + } + $attrSubSet[1] = htmlspecialchars($filteredHtml, ENT_QUOTES | ENT_HTML5, 'UTF-8'); + $newSet[] = $attrSubSet[0] . '=[@{' . $attrSubSet[1] . '}@]'; + continue; + } + // Security check Data URLs if (preg_match('/^[\r\n\s\t]*d\s*a\s*t\s*a\s*\:([^\,]*?)\;*[\r\n\s\t]*(base64)*?[\r\n\s\t]*\,[\r\n\s\t]*(.*?)[\r\n\s\t]*$/isu', $value, $m)) { if (empty($m[2])) { @@ -816,7 +838,8 @@ private function filterAttr($attrSet, $tagName, &$isvalid) 'write' => '/w\s*r\s*i\s*t\s*e/si', 'cookie' => '/c\s*o\s*o\s*k\s*i\s*e/si', 'window' => '/w\s*i\s*n\s*d\s*o\s*w/si', - 'data:' => '/d\s*a\s*t\s*a\s*\:/si' + 'data:' => '/d\s*a\s*t\s*a\s*\:/si', + '@import' => '/@\s*i\s*m\s*p\s*o\s*r\s*t/si' // CSS injection via style attribute ]; $value = preg_replace(array_values($search), array_keys($search), $value); @@ -838,7 +861,7 @@ private function filterAttr($attrSet, $tagName, &$isvalid) if ('param' == $tagName and 'name' == $attrSubSet[0] and preg_match('/^[\r\n\s\t]*(allowscriptaccess|allownetworking)/isu', strtolower($value))) { return []; } - if (preg_match('/(expression|javascript|behaviour|vbscript|mocha|livescript)(\:*)/', $value)) { + if (preg_match('/(expression|javascript|behaviour|vbscript|mocha|livescript)(\:*)/', $value) or preg_match('/@import/i', $value)) { continue; } if (!empty($this->disablecomannds) and preg_match('#(' . implode('|', $this->disablecomannds) . ')(\s*)\((.*?)\)#si', $value)) {
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.