Announcements
Go to Conductrics.com →
Back to All

XSS Vulnerability in Conductrics WYSIWYG Module

over 1 year ago by Nate Weiss

Summary: An XSS vulnerability was discovered Feb 19, 2025 in the WYSIWYG "stack" within Conductrics. We temporarily disabled the WYS functionality for all customers while a fix was prepared. As of Feb 24, the WYS WYS functionality can be safely re-enabled, except for those customers that wish to leave it disabled.

Impact: This was a "Type 0" XSS vulnerability, as defined by CWE-79. While we don't have any evidence that the vulnerability was actively exploited in the wild, the potential impacts of XSS vulnerabilities are considerable. Please see the Potential Impact section below.

Timeline

All times US Central Standard Time (CT):

  • 19-Feb-2025 3:46pm CT - Vulnerability discovered.
  • 19-Feb-2025 4:40pm CT - We begin disabling WYS functionality for customers to neutralize vulnerability.
  • 19-Feb-2025 7:29pm CT - Completed disabling of WYS functionality for all customers.
  • 20-Feb-2025 9:00am CT - Conductrics posts this disclosure page on our support site and begins reaching out to customers.
  • 21-Feb-2025 8:00am CT - Conductrics has prepared an update that fixes the vulnerability. We are in the process of validating it today, and currently plan to push this update out on Monday (Feb 24). In the meantime, the WYS functionality remains disabled to neutralize the vulnerability.
  • 24-Feb-2025 4pm CT - Conductrics has rolled out the update that fixes the vulnerability. We have left WYS "turned off" for all current customers, so they can each make their own decision about when to re-enable WYS via the "Enable Editing" option in our admin console. While we are confident it is now safe to re-enable WYS, we understand that some customers may choose to leave it disabled, especially if it's not typically used by your teams.

What to Expect

As of Feb 24, current Conductrics customers will find that the "WYS" tools within Conductrics remain turned off and simply do not launch. This includes the "Point To" tools when providing CSS selectors to various parts of the Conductrics Admin.

Teams that wish to re-enable the WYS functionality can safely do so via the "Enable Editing" option in the Conductrics Admin, via the "Enable Editing" option. We will reach out to each of our customers under separate cover with specific instructions.

Potential Impact

This was a classic "Cross-Site Scripting" (XSS) vulnerability, as defined by CWE-79.

As such, it would have allowed for any of the bad things that XSS vulnerabilities typically allow for. The usual exploit pattern is for the attacker to use common "phishing" techniques (SMS, email, etc) to trick someone into visiting an official-looking "exploit" page that looks like one of your pages, but is actually hosted by the attacker. This "exploit" page then loads one of your pages containing the vulnerability.

  • If an attacker were to convince a user to visit such an "exploit" page, the attacker could potentially have "stolen" any non-secured cookies or other locally-stored data from Local Storage, Session Storage, or IndexedDB. If that data includes a "login token" or other critical data, that means the attacker could gain control over whatever the token provides access to (such as a "My Account" type section of your site). However, it's worth noting that such important identifiers are typically stored as cookies with the "HttpOnly" and "Secure" flags set, which would not be exposed or steal-able via this vulnerability.

  • Such an "exploit" page could also attempt to load an "evil" JavaScript file or other asset, perhaps in an attempt at "keylogging" or other malicious intent. However, it's worth noting that if your pages are protected with a restrictive Content-Security-Policy (CSP), your CSP is likely to disallow loading of unauthorized scripts or other assets, so you may not have actually been vulnerable in this particular way.

  • Similarly, such an "exploit" page could also have executed other arbitrary JavaScript code, perhaps to deface your pages in some way or take other malicious action.

Our Response

Here's what we've done in response:

  1. Per the timeline above, we removed the WYS functionality right away for all customers to neutralize the vulnerability (on Feb 19 per above timeline).

  2. We created a fix, tested it internally, and have rolled it out. We are confident that the vulnerability has been addressed. We are, however, leaving the WYS functionality disabled for all current customers so they can each make their own decision about when to re-enable it (via the "Enable Editing" checkbox in our admin console). We will reach out to each of you under separate cover with instructions.

  3. We have scheduled a fresh outside pentest and vulnerability assessment of the WYS functionality and all front-end JavaScript that gets added to your pages. (We have been getting regularly-scheduled pentests and vulnerability scans for years, but the WYS functionality has been out of scope for previous pentests / scans.)

More Information

As always, feel free to reach out to your usual Conductrics contacts via your normal channels (email or Slack, etc) with any questions. We will also update this page with any additional information as it becomes available.

And of course, thank you for using Conductrics.