Executive Summary

CVE-2022-50937 is a persistent cross-site scripting (XSS) vulnerability in Ametys CMS version 4.4.1, specifically in the input fields for adding external links in the link directory module. Attackers with low user privileges can inject malicious JavaScript code into fields such as 'Link Text,' 'Small Description,' and 'Description' via HTTP POST requests. Because the application does not properly validate, parse, encode, or sanitize these inputs on submission or rendering, the malicious scripts persist and execute whenever the links are viewed in both backend and frontend interfaces. This allows attackers to perform persistent attacks like session hijacking, phishing, unauthorized redirects, and manipulation of application modules. [1, 2, 4]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to execute persistent malicious scripts within the Ametys CMS environment. This can lead to session hijacking, where attackers steal user sessions; persistent phishing attacks; unauthorized external redirects to malicious websites; and manipulation of application modules. These impacts compromise user security and the integrity of the application, potentially leading to unauthorized access and data exposure. [1, 2, 4]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to inject malicious script payloads into the 'Link Text,' 'Small Description,' and 'Description' input fields of the add external link function in the Ametys CMS link directory module. Detection involves submitting crafted HTTP POST requests containing JavaScript payloads to these fields and then verifying if the scripts persist and execute when viewing the link directory in both backend and frontend interfaces. For example, you can use curl commands to POST data with payloads such as `<a onmouseover=alert(document.domain)>poc_link</a>` to the add external link endpoint and then check if the payload executes upon rendering. Specific commands might look like: `curl -X POST -d 'linkText=<a onmouseover=alert(document.domain)>poc_link</a>&smallDescription=test&description=test' https://your-ametys-site/path-to-add-link`. Monitoring HTTP traffic for such POST requests and responses containing unsanitized script tags can also help detect exploitation attempts. [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include securely parsing and encoding all input fields in the add external link function, specifically the 'Link Text,' 'Small Description,' and 'Description' fields, to prevent injection of malicious scripts. Restrict special characters in these inputs and properly sanitize outputs wherever the links are displayed in both frontend and backend components. Additionally, restrict user privileges to limit who can add external links, and apply any available patches or updates from the vendor addressing this vulnerability. Monitoring and filtering HTTP POST requests to the add external link function for suspicious payloads can also help reduce risk until a fix is applied. [1, 2, 4]

Useful 0 Not Useful 0