Reflected XSS attack with navigate-quickse parameter and affect many modules in NavigateCMS 2.9

[hydrasky-team]

EXPECTED BEHAVIOUR An authenticated malicious user can take advantage of a Reflected XSS vulnerability with navigate-quickse parameter in URL and affect many modules.

IMPACT Commonly include transmitting private data, like cookies or other session information, to the attacker, redirecting the victim to web content controlled by the attacker, or performing other malicious operations on the user’s machine under the guise of the vulnerable site.

VULNERABILITY CODE I found the vulnerability code in many files. Because initial_url is built in these files.

lib\packages\backups\backups.php lib\packages\blocks\blocks.php lib\packages\brands\brands.php lib\packages\comments\comments.php lib\packages\coupons\coupons.php lib\packages\feeds\feeds.php lib\packages\functions\functions.php lib\packages\items\items.php lib\packages\menus\menus.php lib\packages\orders\orders.php lib\packages\payment_methods\payment_methods.php lib\packages\products\products.php lib\packages\profiles\profiles.php lib\packages\shipping_methods\shipping_methods.php lib\packages\templates\templates.php lib\packages\users\users.php lib\packages\webdictionary\webdictionary.php lib\packages\websites\websites.php lib\packages\webusers\webusers.php

After that initial_url is used in \lib\layout\navitable.class.php file to build HTML.

STEPS TO REPRODUCE

1. We change the request and send the link to user

GET /navigate-2.9.3r1525/navigate/navigate.php?fid=websites&act=list&quicksearch=true&navigate-quicksearch=0"})%3b+alert("XSS")%3b$("%23websites_list").jqGrid({//

2. People who already login and click to the link above.

3. When loading the page then the Reflected XSS is executed.

[NavigateCMS]

Fixed by 466e1f88b059061beea27d3876bd1f8b6730ae13

Thank you for all @hydrasky-team