N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-4mgv-366x-qxvx

GHSA-4mgv-366x-qxvx: Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options

Overview of all XSS Reports

Multiple stored XSS vulnerabilities were found in Craft CMS. They were split into 4 reports as follows:

| Report | What's Vulnerable | Why Separate | |--------|-------------------|--------------| | This Report (1) | Multiple settings names | Twig Template: _includes/forms/checkbox.twig | | Report 2 | Entry Types Name | Twig Template: _includes/forms/editableTable.twig | | Report 3 | Card Attributes in Field Layout | helpers/Cp.php | | Report 4 (Commerce) | Product Type Name | Source in Commerce, sink in CMS - will report this one via Commerce GHSA |

Reports 2, 3, and 4 are clearly distinct locations. For this report (Report 1), it was not clear whether to split or consolidate these 7 bugs. The bug report was consolidated and the final categorization should be left to the judgement of the user.

Note: This overview is only in this Report. Other reports only reference this one.

Summary

Stored XSS in multiple settings. Names/labels are rendered without sanitization via checkbox.twig template which uses {{ label|raw }}.

Affected Sources

| # | Source (injection point) | Sink (where payload reflects) | | --- | ------------------------------------------------------------------------ | --------------------------------------------- | | 1 | Section Name (/admin/settings/sections) | Entries field -> Sources checklist | | 2 | Volume Name (/admin/settings/assets/volumes/{vol_id}) | Assets field -> Sources checklist | | 3 | User Group Name (/admin/settings/users/groups) | Users field -> Sources, User permissions page | | 4 | Global Set Name (/admin/settings/globals) | User permissions page | | 5 | Generated Fields Name (Volumes, Users, etc.) | Card Attributes checkboxes | | 6 | Checkboxes & Radio Buttons Field Option Label (/admin/settings/fields) | User profile pages | | 7 | Custom Sources Label (/admin/users -> Customize Sources) | Users field -> Sources checklist |

Proof of Concept

Required Permissions (Attacker)

Admin access
allowAdminChanges is enabled in production, which is against our security recommendations.

Bugs 1-3: Section, Volume, User Group Names

Log in as admin.
Inject payload in one of these:
- Settings -> Sections -> Create/edit section -> Name
- Settings -> Assets -> Volumes -> Create/edit volume -> Name
- Settings -> Users -> User Groups -> Create/edit group -> Name
Set Name to:

<img src=x onerror="alert('XSS')">

Save.
Go to Settings -> Fields -> Create new field.
To trigger the XSS payload: Set Field Type to "Entries" (for Sections), "Assets" (for Volumes), or "Users" (for User Groups). The alert fires when the Sources checkbox list renders.

Note: User Group Name also reflects on User permissions page under User Groups section (/admin/users/{id}/permissions).

Bug 4: Global Set Name

Go to Settings -> Globals (/admin/settings/globals).
Create/edit a Global Set, set Name to payload.
Save.
Go to Users -> Edit any user -> Permissions tab (/admin/users/{id}/permissions).
Alert fires because our payload got rendered in the "Global Sets" permissions section without encoding/sanitization.

Bug 5: Generated Fields Name

Go to Settings -> Assets -> Volumes -> Create/Edit a volume.
Scroll to Generated Fields section.
Add a field, set Name to payload:

<img src=x onerror="alert('XSS')">

Save & Notice the alert. The payload renders in the Card Attributes checkbox list below it.

Bug 6: Checkboxes/Radio Buttons Option Label

Go to Settings -> Fields (/admin/settings/fields).
Create new field, set Field Type to "Checkboxes" or "Radio Buttons".
In Field Options, add an option with Label set to payload.
Save the field.
Go to Settings -> Users -> User Profile Fields (/admin/settings/users/fields).
Add the created field to the layout and save.
Alert fires on any user profile page (/admin/users/{id}).

Bug 7: Custom Sources Label

Go to Users (/admin/users).
Click the three dots icon -> Customize Sources.
Create a new custom source, set Label to payload.
Save.
Go to Settings -> Fields -> Create new field.
Set Field Type to "Users".
Alert fires in the Sources checkbox list.

Resources

https://github.com/craftcms/cms/commit/943152d2246b36f12adf161a03b8695b773d9276 https://github.com/craftcms/cms/commit/67780a778c6ec04e68e64a0b1177c168306144a2

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-4mgv-366x-qxvx

GHSA-4mgv-366x-qxvx:

N/A

CVSS Score

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
craftcms/cms	composer	>= 5.0.0-RC1, < 5.9.0-beta.1	5.9.0-beta.1
craftcms/cms	composer	>= 4.0.0-RC1, < 4.17.0-beta.1	4.17.0-beta.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a series of stored Cross-Site Scripting (XSS) issues originating from a failure to properly sanitize various names and labels within Craft CMS's settings. The core of the issue lies in multiple sinks where this user-provided data is rendered as unescaped HTML.

The analysis of the provided patches (67780a778c6ec04e68e64a0b1177c168306144a2 and 943152d2246b36f12adf161a03b8695b773d9276) points to several key locations where the vulnerability was fixed:

Twig Templates: In src/templates/_includes/forms/checkbox.twig and radio.twig, the vulnerable {{ label|raw }} filter, which explicitly allows raw HTML, was removed. The templates now use {{ label }}, which correctly escapes the output by default.
Server-Side PHP: In src/fields/BaseOptionsField.php, the previewPlaceholderHtml function was patched to use Html::encode() on labels before rendering them in a field preview. This prevents payloads in checkbox or radio button field options from executing.
Client-Side JavaScript: In src/web/assets/cp/src/js/UI.js, the UI-building functions Craft.ui.createCheckbox and Craft.ui.createSelect were modified. They previously treated their label properties as raw HTML. The patch changes this behavior to treat labels as plain text by default, while introducing a separate labelHtml property for cases where HTML is required. This change mitigates the XSS risk from numerous sources, such as Section, Volume, and User Group names, which are rendered using these JavaScript functions.

During exploitation, a runtime profile would show calls to these identified functions as they process and render the malicious input, leading to the execution of the XSS payload in the victim's browser.

Vulnerable functions

craft\fields\BaseOptionsField::previewPlaceholderHtml

src/fields/BaseOptionsField.php

This function generates an HTML preview for fields with multiple options. Before the patch, it concatenated option labels without encoding them, allowing raw HTML and XSS payloads from a field's option labels to be rendered. This corresponds to 'Bug 6' in the vulnerability report.

Craft.ui.createCheckbox

src/web/assets/cp/src/js/UI.js

This client-side JavaScript function builds a checkbox element. It was vulnerable because it rendered the `config.label` property directly as HTML. An attacker could inject a payload into various settings names or labels (e.g., Section Name, Volume Name), which would then be passed to this function and executed when the checkbox was rendered in the UI. This function is a sink for multiple injection points described in the report (Bugs 1, 2, 3, 5, 7).

Craft.ui.createSelect

src/web/assets/cp/src/js/UI.js

This client-side JavaScript function builds a select dropdown element. It was vulnerable because it rendered the `label` property of each option directly as HTML. An attacker could inject a payload into an option label, which would be executed when the select dropdown was rendered.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-4mgv-366x-qxvx: Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options

Overview of all XSS Reports

Summary

Affected Sources

Proof of Concept

Required Permissions (Attacker)

Bugs 1-3: Section, Volume, User Group Names

Bug 4: Global Set Name

Bug 5: Generated Fields Name

Bug 6: Checkboxes/Radio Buttons Option Label

Bug 7: Custom Sources Label

Resources

GHSA-4mgv-366x-qxvx:

N/A

-

Basic Information

Basic Information

Is this CVE running in your environment?

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

Unlock WAF rules for this CVE

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Technical Details

N/A

N/A

GHSA-4mgv-366x-qxvx: Craft CMS Vulnerable to Stored XSS in Settings Names and Field Options

Overview of all XSS Reports

Summary

Affected Sources

Proof of Concept

Required Permissions (Attacker)

Bugs 1-3: Section, Volume, User Group Names

Bug 4: Global Set Name

Bug 5: Generated Fields Name

Bug 6: Checkboxes/Radio Buttons Option Label

Bug 7: Custom Sources Label

Resources

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI