Stored XSS vulnerability in additional URLs in 'Location' dialog [Sitemap]

## Intro "Transformers: Dark of the Crayons" __Type of issue__: Core CMS issue __Level of severity__: Internal Attack Vector __Concrete5 version__: 8.2.0 RC2 rev. 0a26b63c4a64d42e7afb36aba0a6e4d1f4c53d7d (July 19th) ## Summary There is Stored XSS vulnerability in additional URLs in 'Location' dialog. This issue can be exploited only against other users which have rights to edit page attributes in Sitemap. ## Steps to reproduce - log in to concrete5 instance and enable Conversations feature - go to Sitemap. Click on any page and select ```Location``` option from menu: {F204663} - in dialog box, click on ```Add URL```. In new text input put the following payload: ```javascript ',row:1}));alert("xss in path");debugger;(({y:'1 ``` - save changes {F204662} - click on editied page and select ```Location``` option from menu - payload is executed and alert is displayed {F204664} Here's how payload escapes from legitimate JavaScript code, executes alert() call and keeps syntax with no errors: ```JavaScript $('table.ccm-page-panel-detail-location-paths tbody').append( renderPagePath({ isAutoGenerated: 0, isCanonical: 0, isHome: 1, pagePath: '/',row:1}));alert("xss in path");debugger;(({y:'1', row: 2 }) ); ``` ## Impact This vulnerability presents an Internal Attack Vector and has low impact. ## Testing environment System: - Concrete5 version 8.2.0 RC2, commit 0a26b63c4a64d42e7afb36aba0a6e4d1f4c53d7d (July 19th), installed localy - PHP ver. 5.6.30 - Apache HTTP Server 2.4.25 for macOS - MySQL ver. 5.7.13 for macOS This vulnerability was tested on macOS Sierra 10.12.5 with following browsers: - Chrome 59.0.3071.115 - Chromium build 61.0.3161.0 - Opera 46.0.2597.32 ## Wrap up I hope my report will help keep Concrete5 safe in the future. Best Regards, Rafal 'bl4de' Janicki