Authored by Simon Bieber | Site secuvera.de

Drupal-Wiki versions 8.30 and 8.31 suffer from multiple persistent cross site scripting vulnerabilities.

advisories | CVE-2024-34481

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

secuvera-SA-2024-02: Multiple Persistent Cross-Site Scritping (XSS) flaws in Drupal-Wiki

Affected Products
Drupal Wiki 8.31
Drupal Wiki 8.30 (older releases have not been tested)

References
https://www.secuvera.de/advisories/secuvera-SA-2024-02.txt (used for updates)
CVE-2024-34481
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS-B: 6.4 ( CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N )
https://drupal-wiki.com/drupal-wiki-update-8-31/ (Vendor 1st Fix Release Notes)

Summary:
According to the Product Website Drupal-Wiki is an enterprise grade Wiki platform.
The comment function of a Drupal-Wiki-Page is prone to persistent Cross-Site Scritping
Attacks (persistent XSS).

Effect:
A remote attacker that is allowed to edit a wiki page or comment to a wiki page is able to
execute arbitrary (javascript) code within a victims' browser after the victim has opened
a wiki page with malicous comments or content.

Example:
1) XSS in comments to a Wiki Page
The Following steps are needed to exploit the vulnerability on a Wiki-Page assuming
that no login is needed to comment on a page.
1. Go to an arbitrary Wiki-Page.
2. Click on "submit comment" at the lower end of a Wiki Page
3. Enter the following into the comment form overlay and click on
the "save" button:
"'><img src=x onError=alert('XSS!')>

The above code creates a harmless JavaScript alert box whenever the Wiki-Page gets
loaded.
2) XSS in captions:
Open a Wiki-Page, insert a caption with the payload from example 1) and save it.


3) XSS in image titles
Open a Wiki-Page, insert an image with the payload from example 1) as title and save it.


Solution
Update to release 8.31.1 or newer.

Disclosure Timeline:
2024/03/20 vulnerability discovered
2024/03/21 vendor contacted to get security contact details
2024/03/21 vendor replied with contact information
2024/03/21 vulnerability details sent to security contact
2024/03/21 vendor confirmed vulnerability, proposed fix in next release update
2024/03/25 vendor release update containing fix.
2024/03/27 requested CVE-ID, reworked CVSS, tested fix. First fix not fully remediating
all issues, contacted vendor again to inform about fix test results.
2024/03/27 vendor replied confirming and proposed second fix with new update.
planned publication of the SA for 2024/04/14
2024/04/14 postponed public release as assign request of cve was not answered yet.
2024/05/06 CVE was assigned. Public release.

Credits:
Simon Bieber
[email protected]
secuvera GmbH
https://www.secuvera.de

Disclaimer:
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore secuvera shall
not be liable for any direct or indirect damages that might be
caused by using this information.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE6mgEBCu3JYBqmGrgDIJc8mYSY6UFAmY4k7YACgkQDIJc8mYS
Y6Xa1A//cTQ41Wp55MJwjE0t7ABw1RSmPskosPycpMxKgU79LH7xwGLpTaRxd1H9
BiNK/Q/4j5Ad4JtM4TDwb0j7XGj07/Cp+hBcomqKohe7hgVflhZOzUcWKvfQUbQt
1yto71AauEpTz32YebZMxrFJLUXtnJU9pPQnAB5iZOyDT5rsXvEBmCnG6OF1kviy
juXiiR15rZEiiWdW+CaAz3qr07Te0WD1i14IPvE55tuKNwp9LOZr9+Fl3CM2atxs
/LSjgZnTIWODnpnuAD3D2XT5XIj1AK5cEGgg+si4UuYFK/v0nTP4Pytlw2HbS0au
WvAqtiI8YwuhQOYvsXoQ5UYHjZzc2BrQ5mn2MujHb17/eMyG2o3bgPnZ9x+PxDSi
Z++4iRnwolip0ha2E0bIwq8dVyHYcCPfwkrAk3vSmvLmzEivz+OyXPPWwB6EVq8q
3/DRa9fcVO985bxOeBHImyqgPLm8je70Z51GBezCPlHltYXZ8AHpBzqc7Jp0DgUB
UYlQ3y3a62E5oQ8Uo0S7YFkM7ZYhFaxBeVZs4gC1QOo2FNyQjVvD11digf9M+uSR
aH3SwpHhYSIremKeWG9xDGCjN2fiSuEJHdhwAzWUHFa1b7PArB3Ypq3ILKgJyIwx
1S/LYqnuiCC00tp48b8AzMUdYqyeXIfhvOiYMEzzBIq2Ft+IW9U=
=hWhw
-----END PGP SIGNATURE-----