In the latest news, it has been reported that Automad version 2.0.0-alpha.4 is facing a persistent cross-site scripting vulnerability. This vulnerability poses a significant risk as it allows attackers to inject malicious JavaScript code into the template body. Once injected, this code is stored within the flat file CMS and executed in the browsers of unsuspecting users, leading to potential threats such as session hijacking, data theft, and other forms of malicious activity.

This vulnerability was first brought to light by Jerry Thomas, also known as w3bn00b3r, who discovered the flaw on June 20, 2024. Automad, a popular web application categorized as a Flat File CMS, is the software affected by this critical XSS vulnerability. The specific version impacted by this issue is 2.0.0-alpha.4, making it crucial for users to take immediate action to mitigate any potential risks.

The Proof-of-Concept provided by Jerry Thomas outlines the steps to exploit this vulnerability effectively. By logging in as an Admin and navigating to the endpoint http://localhost/dashboard/home, users can access a default Welcome page with an option to edit it. Moving on to the Content tab or http://localhost/dashboard/page?url=%2F&section=text, users are prompted to edit a block named “Main” where the XSS payload can be entered. The XSS payload, in this case, includes code that triggers an alert, showcasing the potential impact of this vulnerability.

The request sent to the server includes the malicious payload within the content data, highlighting how easily an attacker can exploit this vulnerability. The response from the server confirms the successful execution of the XSS payload, emphasizing the real-world implications of such an attack. Furthermore, the XSS attack triggers when users visit the homepage http://localhost/, showcasing the widespread impact of this vulnerability on unsuspecting users.

As the news of this persistent cross-site scripting vulnerability in Automad version 2.0.0-alpha.4 spreads, it is imperative for users to take immediate action to mitigate the risk. Developers are advised to update to a secure version of Automad as soon as a patch or fix is released to prevent any potential security breaches. In the meantime, users are encouraged to remain vigilant and cautious while interacting with the affected software to avoid falling victim to malicious attacks.

Link na izvor