Description
Craft is a content management system (CMS). The fix for CVE-2025-35939 in craftcms/cms introduced a strip_tags() call in src/web/User.php to sanitize return URLs before they are stored in the session. However, strip_tags() only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like javascript:alert(document.cookie) contain no HTML tags and pass through strip_tags() completely unmodified, enabling reflected XSS when the return URL is rendered in an href attribute. This vulnerability is fixed in 5.9.7 and 4.17.3.
Remediation
References
Related Vulnerabilities
Joomla! Core Security Bypass (1.6.0 - 3.6.0)
Python Incorrect Authorization Vulnerability (CVE-2020-15801)
WordPress Plugin Localize My Post Local File Inclusion (1.0)
WordPress 4.1.x Multiple Vulnerabilities (4.1 - 4.1.39)
WordPress Plugin Image Gallery with Slideshow 'upload-file.php' Arbitrary File Upload (1.5)