H5P < 1.15.8 – Contributor+ Stored XSS | CVE 2024-3111 | Plugin Vulnerabilities

Description

The plugin does not validate uploads which could allow a Contributors and above to update malicious SVG files, leading to Stored Cross-Site Scripting issues

Proof of Concept

1. Upload an H5P archive containing a malicious SVG file w/an XSS
2. Example: https://drive.google.com/file/d/1DNZmv-at_HPtDeYr8ExjRrekHSUOaGzh/view?usp=sharing
3. Once the upload is finished, users will be able to access the malicious SVG directly, triggering an XSS

Affects Plugins

Fixed in 1.15.8

References

CVE

URL

https://research.cleantalk.org/cve-2024-3111/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Submitter

Dmitrii Ignatyev

Submitter website

https://research.cleantalk.org

Verified

Yes

WPVDB ID

7c39f3b5-d407-4eb0-aa34-b498fe196c55

Timeline

Publicly Published

2024-06-06 (about 24 days ago)

Added

2024-06-06 (about 24 days ago)

Last Updated

2024-06-26 (about 4 days ago)

Other

Published

Title

Published

2016-12-14

Title

All In One WP Security & Firewall <= 4.2.1 - Cross-Site Scripting (XSS)

Published

2020-07-13

Title

Workup – Job Board < 2.1.6 - Unauthenticated Reflected XSS

Published

2024-06-06

Title

Newsletters < 4.9.6 - Reflected Cross-Site Scripting

Published

2023-08-30

Title

Translate WordPress with GTranslate < 3.0.4 - Admin+ Stored XSS

Published

2014-05-28

Title

Alipay < 3.7.0 'inc.tenpay_notify.php' Cross-Site Scripting (XSS)