When a user copies/pastes a message in Drafts, the message is executed in the site context (i.e. the context of the Drafts application). Therefore, it is possible for an attacker to inject malicious code into the application via XSS.
To exploit this vulnerability, an attacker would have to convince a user to open an arbitrary link via XSS in order to copy/paste the link into a Drafts message, which then causes the application to execute malicious code.
CVE-2023-37252
When a user edits a message in Drafts, the changes are automatically saved to _drafts/__drafts.
Drafts – A great place to start your exploration of XSS
XSS is a very common web application vulnerability that impacts users of all types of websites. It occurs when a user includes content from an attacker-supplied input such as a link or form field. For example, the attacker could inject malicious JavaScript into the URL or form input and send the link to the user. The attacker controls what code is executed on the server side and can change code in real time as it is being processed by the browser.
Although XSS attacks are often simple to execute, sometimes there are additional concerns that need to be addressed. For instance, if your goal is to steal sensitive data from an organization's website, you might only want to use XSS to steal login credentials so you don't have to wait for other vulnerabilities like SQL injection or command injection to be discovered.
If you're interested in learning more about how XSS works and some potential mitigations, take a look at this great walkthrough of how this vulnerability works: https://www.owasp.org/index.php/Session_Management_CheatSheet#XSS_Mitigation
Timeline
Published on: 09/16/2022 22:15:00 UTC
Last modified on: 09/21/2022 15:37:00 UTC