XSS vulnerabilities in Croogo CMS 1.3


Croogo CMS is prone to HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input.


Vulnerable Software: 1.3
Full disclosure Date: 2010-06-14
Last Update: 2010-05-10
Critical: Low
Impact: HTML injection
           Session hijack
           Denial of service
           Code execution

Solution Status: Vendor informed and patch submitted to public repository


Croogo is a content management system gaining popularity rapidily in the CAKEPHP community.


Croogo CMS is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.


Attackers can exploit this issue with a web browser sending malicious code through the field ‘name’ located in the user registration form (http://site/users/add) or the field ‘data[Comment][body]’ in the “add a comment” form to comment on a post (http://site/comments/add/).

This time the field ‘data[Comment][body]’ gets sanitized correctly but Tipsy, a Javascript library in charge of creating the tooltips, decodes again the stored sanitized string and it allows html injection in the admin panel.


Upgrade to Croogo 1.3.1 or apply patch Croogo’s public repository


2010/05/08 – Vulnerability discovered
2010/05/08 – Vendor contacted
2010/05/1 2 – Patch submitted to Croogo’s public source code repositories
2010/06/14 – Full disclosure


Croogo CMS – Croogo CMS Official website
Croogo on GitHub – Croogo GitHub
Websec’s advisory permalink – http://websec.ca/advisories/view/ws10-08-croogo_cms_1.3_xss_vulnerabilities



Leave a Reply

Your email address will not be published. Required fields are marked *