Summary
Incomplete HTML sanitization on the pretty error page can be used to inject an iframe or other unwanted HTML content on the website. This injected content could then be used to direct the user to a fake "solution" to the error, with a malicious URL as the destination. The injection source is the admin_help route responder for help articles that accepts arbitrary GET request input and does not adequately sanitize it before passing it on to the Twig template engine.
Impact
This is not a stored XSS. The pretty error page provides no access to confidential data. However the XSS could be used to trick unsuspecting webmasters and/or visitors into trusting a malicious third-party website. The victim could be fooled into entering credentials into a fake login form for the purpose of credential theft, or redirected to a scam website.
Patches
Chyrp Lite "Boreal" v2025.01 resolves this issue by making the following changes:
- HTML on error pages is limited to a subset of tags that are considered safe.
- The
admin_help route responder now strips < and > from the GET request.
aspyct Reporter
Summary
Incomplete HTML sanitization on the pretty error page can be used to inject an
iframeor other unwanted HTML content on the website. This injected content could then be used to direct the user to a fake "solution" to the error, with a malicious URL as the destination. The injection source is theadmin_helproute responder for help articles that accepts arbitrary GET request input and does not adequately sanitize it before passing it on to the Twig template engine.Impact
This is not a stored XSS. The pretty error page provides no access to confidential data. However the XSS could be used to trick unsuspecting webmasters and/or visitors into trusting a malicious third-party website. The victim could be fooled into entering credentials into a fake login form for the purpose of credential theft, or redirected to a scam website.
Patches
Chyrp Lite "Boreal" v2025.01 resolves this issue by making the following changes:
admin_helproute responder now strips<and>from the GET request.