Advisory CVE-2023-28733, Stored XSS affecting the AcyMailing plugin for Joomla

CVE ID: CVE-2023-28733

Vendor: AcyMailing

Product: Newsletter Plugin for Joomla in the Enterprise version

Title: Stored XSS affecting the AcyMailing plugin for Joomla

Vulnerable Versions: < 8.3.0

Problem Type (CWE):

CWE-20 Improper Input Validation
CWE-116 Improper Encoding or Escaping of Output

Impacts (CAPEC):

CAPEC-63 Cross-Site Scripting (XSS)
CAPEC-592 Stored XSS

CVSS 3.1:

7.2 High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

References:

CVE Description:

Introduction:

AcyMailing is a newsletter and email marketing plugin available for Joomla and WordPress.

The vulnerability:

Stored cross site scripting (XSS) in templates and emails of AcyMailing, unauthenticated when being granted access to the campaign’s creation on front-office.

This issue affects AnyMailing Joomla Plugin in versions below 8.3.0.

The steps to exploit the vulnerability:

Campaign creation access needs to be enabled on the front-office, the following steps can then be done unauthenticated
Edit an AcyMailing email template and initiate applying the changes
One of the resulting requests sent to the plugin contains the editor content and can be manipulated to contain Java Script code
The template containing the Java Script code is stored on the system and the payload will trigger when accessing the template again

How to check for exploitation:

Check access logs for suspicious requests in the form of “/index.php?option=com_acym&tmpl=component&22f6c8a79b56f873e2406d68f8f1bf32=1&nocache=1675689449&ctrl=frontmails” or for JS payloads in the POST parameter “editor_content” (e.g. “editor_content=<script>console.log(‹test›)</script>%3Cdiv+id%3D%22acym__wysid__template%22+class…”)
Check templates for injected JS payloads

Solution:

update to a fixed version (>= 8.3.0)

Timeline:

2023-02-06: reported
2023-03-09: initial vendor notification
2023-03-10: initial vendor response
2023-03-20: release of fixed version
2023-03-30: coordinated public disclosure

Credits:

Reporter: Raphaël Arrouas (“Xel”), on a bug bounty program of Bug Bounty Switzerland
Coordinator: Bug Bounty Switzerland

Cookie	Dauer	Beschreibung
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.