CVE-2020-9322
📋 TL;DR
This vulnerability in Statamic CMS allows attackers to perform cross-site scripting (XSS) attacks through the /users endpoint. It enables stored XSS via malicious usernames during registration and reflected XSS via PATH_INFO manipulation, potentially allowing attackers to add administrator accounts via CSRF. All Statamic installations before version 2.11.8 are affected.
💻 Affected Systems
- Statamic Core
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to the CMS, allowing complete system compromise, data theft, and persistent backdoor installation.
Likely Case
Attackers hijack user sessions, steal credentials, deface websites, or redirect users to malicious sites.
If Mitigated
Limited impact with proper input validation, output encoding, and CSRF protections in place.
🎯 Exploit Status
Exploitation requires minimal technical skill with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.11.8
Vendor Advisory: https://statamic.com/changelog#2.11.18
Restart Required: No
Instructions:
1. Update Statamic to version 2.11.8 or later. 2. Verify the update completed successfully. 3. Test the /users endpoint functionality.
🔧 Temporary Workarounds
Disable /users endpoint
allTemporarily disable the vulnerable endpoint until patching is possible
Modify routing configuration to restrict access to /users endpoint
Implement WAF rules
allAdd web application firewall rules to block XSS payloads
Add WAF rules to detect and block JavaScript in username fields and PATH_INFO parameters
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user inputs
- Enable CSRF protection and require authentication for administrative actions
🔍 How to Verify
Check if Vulnerable:
Check Statamic version in admin panel or via composer show statamic/cmsCheck Version:
composer show statamic/cms | grep versionVerify Fix Applied:
Confirm version is 2.11.8 or higher and test /users endpoint with XSS payloads📡 Detection & Monitoring
Log Indicators:
- Unusual username patterns containing script tags
- Multiple failed user creation attempts
- Admin user creation from unexpected IPs
Network Indicators:
- HTTP requests to /users with JavaScript payloads
- CSRF attacks targeting user creation endpoints
SIEM Query:
source="web_logs" AND (uri_path="/users" AND (user_agent CONTAINS "script" OR params CONTAINS "javascript:"))