STR as reported:
1. Login to account
2. Visit following URL: /admin/structure/block/block-content/manage/basic/fields
3. Click Manage fields and then edit tab
4. Name label as Body"></iframe><img/src="x"/onerror="alert(document.domain)"/><"
5. Save the settings
6. Now click back edit tab XSS alert will pop-up
Note from pwolanin: attack string can be simplified to:
Body<img/src="x"/onerror="alert(document.domain)"/>This appears to occur via the ckeditor markup that's injected into the page, not any of the original markup. I see this in the console:
GET http://drupal-8.local:8083/admin/structure/block/block-content/manage/basic/fields/x 404 (Not Found)Here's the attack in the manipulated page via Chrome inspector:
I can also reproduce on path: /admin/structure/comment/manage/comment/fields/comment.comment.comment_body
so it's not specific to block content.
Reported via Drupal 8 security bug bounty
https://tracker.bugcrowd.com/submissions/999c269994c4384d59e40d8dd5a6f21...
credit to:
https://www.drupal.org/u/g1n1