CVE-2024-55341
📋 TL;DR
A stored cross-site scripting vulnerability in Piranha CMS allows authenticated attackers to inject malicious JavaScript into pages via markdown content. When users view these pages, the script executes in their browsers, potentially stealing session cookies or performing actions on their behalf. This affects administrators and users of Piranha CMS 11.1 who can create or view pages.
💻 Affected Systems
- Piranha CMS
📦 What is this software?
Piranha Cms by Dotnetfoundation
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over CMS administration, deface websites, or redirect users to malicious sites.
Likely Case
Attackers with editor access could inject scripts that steal user session data or perform limited actions within the CMS context.
If Mitigated
With proper input validation and output encoding, the script payloads would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires authenticated access to create pages. The vulnerability is in markdown content processing where user input isn't properly sanitized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 11.2 or later
Vendor Advisory: https://github.com/PiranhaCMS/piranha.core
Restart Required: No
Instructions:
1. Update Piranha CMS to version 11.2 or later. 2. Verify the update by checking the version in the CMS admin panel. 3. Review existing pages for suspicious markdown content.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side input validation to sanitize markdown content before storage
Implement custom middleware or modify markdown processing to escape HTML special characters
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources
Add 'Content-Security-Policy: script-src 'self'' to HTTP headers
🧯 If You Can't Patch
- Restrict page creation permissions to trusted administrators only
- Implement web application firewall rules to block XSS payload patterns in markdown content
🔍 How to Verify
Check if Vulnerable:
Check if running Piranha CMS version 11.1. Attempt to create a page with markdown containing <script>alert('test')</script> and see if it executes when viewed.Check Version:
Check the CMS admin panel or examine the application's assembly versionVerify Fix Applied:
After updating to 11.2+, test that the same XSS payload is properly escaped and doesn't execute when viewing the page.📡 Detection & Monitoring
Log Indicators:
- Unusual page creation activity by non-admin users
- Multiple page edits with script-like content in markdown fields
Network Indicators:
- HTTP requests to /manager/pages with script tags in POST data
- Outbound connections to external domains from page content
SIEM Query:
source="web_logs" AND (uri_path="/manager/pages" AND (body CONTAINS "<script>" OR body CONTAINS "javascript:"))