Описание
listmonk Vulnerable to Stored XSS Leading to Admin Account Takeover
Security Advisory: Stored XSS Leading to Admin Account Takeover
Affected Versions: ≤ 5.1.0
Vulnerability Type: CWE-79: Stored Cross-Site Scripting
Summary
A lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts.
The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required.
Required Attacker Permissions
Note: These are common permissions for content managers who are not full admins.
Attack Vectors
Vector 1: Raw HTML (Direct Script Tag)
Vector 2: Go Template Safe Function
Attack Scenarios
Scenario 1: Campaign Preview Attack
- Attacker creates campaign with XSS payload
- Request is made to super admin: "Please review my newsletter draft"
- Super admin opens campaign and clicks Preview
- XSS executes → Backdoor admin account created
- Attacker logs in with
backdoor/Hacked123
Scenario 2: Archive Link Attack (No Click Required)
- Attacker creates campaign with XSS payload
- Attacker enables Archive for the campaign
- Attacker shares archive link:
http://localhost:9000/archive/{uuid} - Super admin visits the link (no preview click needed!)
- XSS executes automatically → Account takeover
Proof of Concept
Step 1: Create Malicious Campaign
As lower-privileged user, create campaign with body:
Step 2: Enable Archive (Optional - for link-based attack)
- Edit campaign settings
- Enable "Archive"
- Copy archive URL:
http://localhost:9000/archive/{campaign-uuid}
Step 3: Trigger Execution
Option A - Preview:
- Send campaign to super admin for "review"
- Super admin previews → XSS fires
Option B - Archive Link:
- Share archive URL with super admin
- Super admin visits link → XSS fires automatically
Step 4: Verify Takeover
Evidence Screenshots
[Screenshot 1: Lower-privileged user creating malicious campaign]
[Screenshot 2: Super admin previewing campaign]
[Screenshot 3: Backdoor user successfully created]
Impact
| Action | Possible via XSS |
|---|---|
| Create backdoor admin | ✅ Yes |
| Export all subscribers | ✅ Yes |
| Modify SMTP settings | ✅ Yes |
| Delete all campaigns | ✅ Yes |
| Access API keys/secrets | ✅ Yes |
Affected Components
| Component | XSS Works? | Method |
|---|---|---|
| Campaign body (Raw HTML) | ✅ Yes | Direct <script> tag |
| Campaign body (Template) | ✅ Yes | {{ \ ` | Safe }}` |
| Template body | ✅ Yes | Both methods |
| Campaign archive | ✅ Yes | Automatic execution on visit |
Пакеты
github.com/knadh/listmonk
>= 1.1.1, < 6.0.0
6.0.0
github.com/knadh/listmonk
< 1.1.1-0.20251231125615-74dc5a01cfbb
1.1.1-0.20251231125615-74dc5a01cfbb
Связанные уязвимости
listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user (Super Admin) views or previews this content, the XSS executes in their browser context, allowing the attacker to perform privileged actions such as creating backdoor admin accounts. The attack can be weaponized via the public archive feature, where victims simply need to visit a link - no preview click required. Version 6.0.0 fixes the issue.