Skip to content

Cross-site Scripting vulnerabilities in Neos

High severity GitHub Reviewed Published May 17, 2024 to the GitHub Advisory Database • Updated May 17, 2024

Package

composer neos/neos (Composer)

Affected versions

>= 1.2.0, < 1.2.13
>= 2.0.0, < 2.0.4

Patched versions

1.2.13
2.0.4

Description

It has been discovered that Neos is vulnerable to several XSS attacks. Through these vulnerabilities, an attacker could tamper with page rendering, redirect victims to a fake login page, or capture user credentials (such as cookies). With the potential backdoor upload an attacker could gain access to the server itself, to an extent mainly limited by the server setup.

Reflected Cross-Site Scripting (SXSS) with authentication

A Neos backend user with permission to modify content can insert JavaScript instructions into content elements. The browser will execute the script in "Print" preview mode.
A Neos backend user who can modify his profile information ("Title", "First Name", "Last name", "Middle Name", "Other Name") can inject JavaScript instructions in those parameters. Once set up, an administrator who wants to edit this user account will execute the code.
Both attack vectors require a valid Neos backend user account.

Reflected Cross-Site Scripting (RXSS) without authentication

A non-persistent XSS using parameters passed during plugin execution is possible. If invalid parameters are passed, an error message may be shown (depending on the context Neos runs in and how the parameters are handled) that contains the unescaped parameter value.

Note: Through the HTML content type the inclusion of arbitrary JavaScript is still possible for users with a valid Neos backend account. If you want to prohibit that, disable the nodetype or restrict access.

Potential backdoor upload

Through an issue with the underlying Flow framework (see the related Flow advisory Flow-SA-2015-001) any editor with access to the Media Management module can upload server side script files (when using Neos 2.0.x). If those scripts are executed by the server when accessed through their public URL, anything not blocked through other means is possible (information disclosure, placement of backdoors, data removal, …).

References

Published to the GitHub Advisory Database May 17, 2024
Reviewed May 17, 2024
Last updated May 17, 2024

Severity

High

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-6cj3-rc4p-f38f

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.