Hello,

Two security holes were recently discovered in current and previous versions of Composr CMS.

These issues have been fixed in the new version released today, 10.0.38. In this news post we will explain the issues and provide temporary mitigations for those who do not wish to immediately upgrade to 10.0.38.

Vulnerability 1: XSS in Comcode

Bug:
An attacker can inject JavaScript via Comcode.
This issue is tagged as CVE-2021-38708.

Affects:
Composr CMS sites that have the "Subject to a more liberal HTML filter" privilege. By default only staff have this privilege, so most sites will not be vulnerable (assuming staff can be trusted).

Reason for mistake:
There is a special way of writing invalid HTML that manages to evade our filter.

Fix in v10.0.38:
The filter has been tweaked to handle the new case, and our test set tweaked to check it.

Temporary mitigation:
Download the latest manual extractor installer and replace your sources/input_filter.php file.

Vulnerability 2: XSS in staff_messaging addon

Bug:
An attacker can inject JavaScript via the messaging system.
This issue is tagged as CVE-2021-38709.

Affects:
Composr CMS sites that have the staff_messaging addon installed and in active use. The addon is installed by default, and the default mechanism for the default contact form, so many sites will be vulnerable.

Reason for mistake:
There is a very specific mistake in our sanitisation for this addon.

Fix in v10.0.38:
The very specific mistake has been corrected.

Temporary mitigation:
Download the latest manual extractor installer and replace your themes/default/templates/MESSAGING_MESSAGE_SCREEN.tpl file.

Credit

These issues were reported to us responsibly by onemanteam123321. We have great appreciation for groups and individuals who report vulnerabilities to us responsibly.