ApostropheCMS Stored XSS Vulnerability in SEO Fields Leads to Data Exposure
A stored cross-site scripting (XSS) vulnerability exists in SEO-related fields (SEO Title and Meta Description) in ApostropheCMS v4.28.0, allowing injection of arbitrary JavaScript into HTML contexts, performing authenticated API requests, and exfiltrating sensitive data, leading to a compromise of application confidentiality.
A stored cross-site scripting (XSS) vulnerability has been identified in ApostropheCMS, specifically affecting version v4.28.0. The vulnerability resides within the SEO Title and Meta Description fields, where user-controlled input is not properly neutralized. An attacker can inject arbitrary JavaScript code into these fields, which is then rendered in HTML contexts such as <title> tags, <meta> attributes, and structured data (JSON-LD). This injected script executes within the browser of an authenticated user, enabling the attacker to perform actions on their behalf, including making authenticated API requests to retrieve sensitive data such as usernames, email addresses, and roles (including admin), and exfiltrating it to an attacker-controlled server. This can lead to a full compromise of the affected application.
Attack Chain
- An attacker logs into ApostropheCMS with an account that has permission to edit pages.
- The attacker navigates to the page creation or editing interface within the CMS.
- The attacker enters a malicious JavaScript payload into the SEO Title or Meta Description field. The payload is designed to execute when a user views the page.
- The attacker saves and publishes the page with the injected XSS payload.
- An administrator visits the published page via their web browser.
- The XSS payload executes within the administrator's browser, using the administrator's authenticated session.
- The JavaScript code makes an authenticated API request to
/api/v1/@apostrophecms/userto retrieve user data. - The response containing sensitive user data (usernames, email addresses, roles) is then base64 encoded and exfiltrated to an attacker-controlled server at
http://ATTACKER-IP:5656/?data=BASE64_ENCODED_RESPONSE.
Impact
This vulnerability allows an attacker to execute arbitrary JavaScript code within the context of an authenticated administrator's session in ApostropheCMS. Successful exploitation allows the attacker to access and exfiltrate sensitive user data, including usernames, email addresses, and roles, potentially leading to privilege escalation and complete compromise of the application and its data. The vulnerability affects ApostropheCMS versions up to and including v4.28.0.
Recommendation
- Deploy the "ApostropheCMS XSS in SEO Fields" Sigma rule to detect attempts to inject malicious JavaScript into SEO-related fields (SEO Title and Meta Description).
- Monitor web server logs for requests containing the specific API endpoint
/api/v1/@apostrophecms/user, especially if the request is initiated from an unusual or unexpected user agent, based on the log source defined in the Sigma rules. - Inspect web server logs for outbound connections to external IPs (ATTACKER-IP) following a request to the vulnerable API endpoint as defined in the iocs section.
- Apply patches or upgrade ApostropheCMS to a version beyond 4.28.0 to remediate CVE-2026-35569.
Detection coverage 2
ApostropheCMS XSS in SEO Fields
highDetects attempts to inject potentially malicious JavaScript payloads into SEO-related fields (SEO Title and Meta Description) within ApostropheCMS, indicative of a stored XSS vulnerability exploitation attempt.
ApostropheCMS Sensitive API Access Attempt
mediumDetects attempts to access the sensitive /api/v1/@apostrophecms/user API endpoint which retrieves usernames, email addresses, and roles (including admin), in ApostropheCMS.
Detection queries are available on the platform. Get full rules →
Indicators of compromise
2
url
| Type | Value |
|---|---|
| url | https://youtu.be/FZuulua_pa8 |
| url | http://ATTACKER-IP:5656/?data=BASE64_ENCODED_RESPONSE |