Metamorfosec Security Advisory METS-2020-002 A Stored Cross Site Scripting (XSS) Vulnerability in Galileo CMS v0.042 FIRST PUBLISHED: Aug 12, 2020 VERSION: 1.0 VENDOR: Joel Berger PRODUCT: Galileo CMS VERSION AFFECTED: 0.042 (maybe prior versions are also affected) CVE-ID: CVE-2019-7410 PRODUCT DESCRIPTION: (based on https://metacpan.org/pod/Galileo) Galileo is a Perl CMS (built on Mojolicious) with some unusual features. It uses client-side markdown rendering and websockets for saving page data without reloading. FINDING: There is a stored cross site scripting (XSS) in Galileo CMS v0.042. Remote authenticated users could inject arbitrary web script or HTML via $page_title in /lib/Galileo/files/templates/page/show.html.ep (aka the PAGE TITLE Field). PROOF OF CONCEPT: 1. Login to Galileo CMS 2. Go to Edit This Page (assumed current page is Home, but this is also affect for other pages too) 3. In the PAGE TITLE Field, please add "> 4. Click Save Page Button 5. Go to Home Page to trigger the alert 6. Logout from Galileo CMS (alert also triggered when click Log Out) 7. Login again to Galileo CMS and alert still will be triggered MITIGATION: Update to v0.043 or newer (NOTE: Galileo CMS since v0.043 is soft-deprecated) ADVISORY TIMELINE: Jan 13, 2019 - Sent first notification to Developer Jan 15, 2019 - Got response from Developer and requested CVE-ID Feb 6, 2019 - Obtained CVE-ID (CVE-2019-7410, still RESERVED) Aug 6, 2020 - Made Pull Request on GitHub Repository, contacted Developer, and Developer released v0.043 Aug 12, 2020 - Released this Advisory and requested to publish CVE-2019-7410 REVISION HISTORY: Aug 12, 2020 - First release REFERENCES: 1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7410 2. https://github.com/jberger/Galileo/pull/55/files 3. https://metacpan.org/changes/distribution/Galileo 4. https://metamorfosec.com/Files/Commits/METC-2020-002-Escape_banner_in_Galileo_CMS_v0.042.txt DISCLAIMER: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the our website.