Advisory CVE-2023-28733, Stored XSS affecting the AcyMailing plugin for Joomla
CVE ID: CVE-2023-28733
Vendor: AcyMailing
Product: Newsletter Plugin for Joomla in the Enterprise version
Title: Stored XSS affecting the AcyMailing plugin for Joomla
Vulnerable Versions: < 8.3.0
Problem Type (CWE):
- CWE-20 Improper Input Validation
- CWE-116 Improper Encoding or Escaping of Output
Impacts (CAPEC):
- CAPEC-63 Cross-Site Scripting (XSS)
- CAPEC-592 Stored XSS
CVSS 3.1:
- 7.2 High
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
References:
CVE Description:
Introduction:
AcyMailing is a newsletter and email marketing plugin available for Joomla and WordPress.
The vulnerability:
Stored cross site scripting (XSS) in templates and emails of AcyMailing, unauthenticated when being granted access to the campaign’s creation on front-office.
This issue affects AnyMailing Joomla Plugin in versions below 8.3.0.
The steps to exploit the vulnerability:
- Campaign creation access needs to be enabled on the front-office, the following steps can then be done unauthenticated
- Edit an AcyMailing email template and initiate applying the changes
- One of the resulting requests sent to the plugin contains the editor content and can be manipulated to contain Java Script code
- The template containing the Java Script code is stored on the system and the payload will trigger when accessing the template again
How to check for exploitation:
- Check access logs for suspicious requests in the form of “/index.php?option=com_acym&tmpl=component&22f6c8a79b56f873e2406d68f8f1bf32=1&nocache=1675689449&ctrl=frontmails” or for JS payloads in the POST parameter “editor_content” (e.g. “editor_content=<script>console.log(‹test›)</script>%3Cdiv+id%3D%22acym__wysid__template%22+class…”)
- Check templates for injected JS payloads
Solution:
- update to a fixed version (>= 8.3.0)
Timeline:
- 2023-02-06: reported
- 2023-03-09: initial vendor notification
- 2023-03-10: initial vendor response
- 2023-03-20: release of fixed version
- 2023-03-30: coordinated public disclosure
Credits:
- Reporter: Raphaël Arrouas (“Xel”), on a bug bounty program of Bug Bounty Switzerland
- Coordinator: Bug Bounty Switzerland