GHSA-G3HP-VVQF-8VW6

Vulnerability from github – Published: 2026-03-11 14:56 – Updated: 2026-03-11 14:56
VLAI
Summary
Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page
Details

Summary

A stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute arbitrary JavaScript when another user views or edits a user's permissions.

[!NOTE] This is a separate vulnerability from the previously reported "Stored XSS via User Group Name in User Settings Page" and "Multiple Stored XSS in User Group Edit Page". This affects a different sink: the individual user's permissions page.

Proof of Concept

Required Permissions

Steps to Reproduce

  1. Log in to the control panel as an admin
  2. Navigate to Settings → Users → User Groups
  3. Create or edit a user group and set the Name field to: html <img src=x onerror="alert('XSS')" hidden>
  4. Save the user group
  5. Navigate to Users and edit any user (/admin/users/{id})
  6. Click on the Permissions tab
  7. XSS executes

Mitigation

Sanitize user group names when rendering in the user permissions template.

References

https://github.com/craftcms/cms-ghsa-4mgv-366x-qxvx/pull/2

Severity
1.8 (Low)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.8.21"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0-RC1"
            },
            {
              "fixed": "5.8.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T14:56:59Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "## Summary\nA stored XSS vulnerability exists in the User Permissions page. The User Group name is rendered without proper HTML escaping in the permissions section, allowing an attacker to execute arbitrary JavaScript when another user views or edits a user\u0027s permissions.\n\n\u003e [!NOTE]\n\u003e This is a separate vulnerability from the previously reported \"[Stored XSS via User Group Name in User Settings Page](https://github.com/craftcms/cms/security/advisories/GHSA-2423-8xxj-wc3g)\" and \"[Multiple Stored XSS in User Group Edit Page](https://github.com/craftcms/cms/security/advisories/GHSA-vx7g-xw92-g4xj)\". This affects a different sink: the individual user\u0027s permissions page.\n\n## Proof of Concept\n### Required Permissions\n- Admin access\n- `allowAdminChanges` is enabled in production, which is against our [security recommendations](https://craftcms.com/knowledge-base/securing-craft).\n\n### Steps to Reproduce\n1. Log in to the control panel as an admin\n2. Navigate to **Settings \u2192 Users \u2192 User Groups**\n3. Create or edit a user group and set the **Name** field to:\n    ```html\n    \u003cimg src=x onerror=\"alert(\u0027XSS\u0027)\" hidden\u003e\n    ```\n4. Save the user group\n5. Navigate to **Users** and edit any user (`/admin/users/{id}`)\n6. Click on the **Permissions** tab\n7. XSS executes\n\n## Mitigation\nSanitize user group names when rendering in the user permissions template.\n\n## References\n\nhttps://github.com/craftcms/cms-ghsa-4mgv-366x-qxvx/pull/2",
  "id": "GHSA-g3hp-vvqf-8vw6",
  "modified": "2026-03-11T14:56:59Z",
  "published": "2026-03-11T14:56:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-g3hp-vvqf-8vw6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/5.8.22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS Vulnerable to Stored XSS via User Group Name in User Permissions Page"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.