Multiple Vulnerabilities discovered in the package Croogo

Loginsoft-2019-1037
February 11, 2019

CVE Number

CVE – CVE-2019-7170

CWE Number

CWE – 79

Product Details

Croogo is an open source PHP content management system powered by CakePHP.
URL: https://github.com/croogo/croogo/wiki

Vulnerable Versions

v3.0.5

Vulnerability Details

Before printing the `Title` value on the ‘Vocabulary’ page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.
Reference link: https://github.com/croogo/croogo/issues/890

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
CVE Number

CVE – CVE-2019-7173

Vulnerability Details

Before printing the `Title` value on the ‘Attachment’ page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.
Reference link: https://github.com/croogo/croogo/issues/889

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
CVE Number

CVE – CVE-2019-7169

Vulnerability Details

Before printing the `Title` value on the ‘Title’ page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.
Reference link: https://github.com/croogo/croogo/issues/888

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
CVE Number

CVE – CVE-2019-7171

Vulnerability Details

Before printing the `Title` value on the ‘Blocks page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.
Reference link: https://github.com/croogo/croogo/issues/887

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
CVE Number

CVE – CVE-2019-7168

Vulnerability Details

Before printing the `Blog` value on the ‘Content’ page, there is no escape being done, leaving the application vulnerable to the specific XSS attack.
Reference link: https://github.com/croogo/croogo/issues/886

Mitigations
  • Avoid inserting or adding the untrusted input data
  • Always perform the sanitation of the input data like HTML escape, Attribute escape, JavaScript escape JSON parsing and HTML encoding before inserting them into the page content
  • It is advisable to practice content security policy and adopt the auto escaping template system
  • Implement the X-XSS-Protection response header
Timeline

Vendor Disclosure: 2019-01-16
Public Disclosure: 2019-02-11

Credit

Discovered by ACE Team – Loginsoft