{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/nukeviet-cms--4.5.09/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["NukeViet CMS \u003c 4.5.09","composer/nukeviet/nukeviet \u003c 4.5.09"],"_cs_severities":["high"],"_cs_tags":["xss","web-vulnerability","cms","nukeviet","stored-xss"],"_cs_type":"advisory","_cs_vendors":["NukeViet"],"content_html":"\u003cp\u003eA high-severity stored cross-site scripting (XSS) vulnerability, tracked as CVE-2026-49259, impacts NukeViet CMS versions 4.x through 4.5.08, as well as the 'composer/nukeviet/nukeviet' package prior to version 4.5.09. This flaw allows a low-privileged authenticated user to inject and store JavaScript payloads within their profile's \u003ccode\u003efirst_name\u003c/code\u003e and \u003ccode\u003elast_name\u003c/code\u003e display name fields. The vulnerability stems from improper neutralization of input during web page generation, specifically the insufficient JavaScript-context escaping of user-controlled data interpolated into an inline \u003ccode\u003eonclick\u003c/code\u003e handler within comment templates. When any visitor, including site administrators, interacts with the \u0026quot;Reply\u0026quot; link on a comment posted by the attacker, the stored JavaScript payload executes in their browser. This can lead to significant impact, including administrative session hijacking, credential phishing, and sensitive data exfiltration. The issue is exacerbated by default configurations where CAPTCHA for logged-in users is disabled and comments are published immediately without moderation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker, as a low-privileged authenticated user, logs into the NukeViet CMS.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to their user profile settings page, accessible via \u003ccode\u003e/index.php?nv=users\u0026amp;op=editinfo\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker injects a JavaScript payload (e.g., \u003ccode\u003ea');alert(document.domain);//\u003c/code\u003e) into their \u003ccode\u003efirst_name\u003c/code\u003e or \u003ccode\u003elast_name\u003c/code\u003e profile field.\u003c/li\u003e\n\u003cli\u003eNukeViet CMS processes and stores this input, applying HTML entity encoding (e.g., \u003ccode\u003ea\u0026amp;#039;\u0026amp;#41;;alert\u0026amp;#40;document.domain\u0026amp;#41;;\u0026amp;#x002F;\u0026amp;#x002F;\u003c/code\u003e) via \u003ccode\u003eRequest::_get_title()\u003c/code\u003e with \u003ccode\u003e$specialchars = true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker posts a comment on any NukeViet CMS page. The comment rendering template, \u003ccode\u003ethemes/default/modules/comment/comment.tpl\u003c/code\u003e, embeds the attacker's display name (\u003ccode\u003e{COMMENT.post_name}\u003c/code\u003e) within an \u003ccode\u003eonclick\u003c/code\u003e JavaScript handler without sufficient JavaScript-context escaping.\u003c/li\u003e\n\u003cli\u003eA victim, such as an administrator, navigates to the page containing the attacker's comment and clicks the \u0026quot;Reply\u0026quot; link associated with it.\u003c/li\u003e\n\u003cli\u003eThe victim's browser first decodes the HTML entities within the \u003ccode\u003eonclick\u003c/code\u003e attribute (e.g., \u003ccode\u003e\u0026amp;#039;\u003c/code\u003e becomes \u003ccode\u003e'\u003c/code\u003e) and subsequently executes the attacker's injected JavaScript payload (e.g., \u003ccode\u003ealert(document.domain)\u003c/code\u003e) in the context of the victim's session.\u003c/li\u003e\n\u003cli\u003eThis JavaScript execution allows the attacker to perform arbitrary actions in the victim's browser, potentially leading to administrative session hijacking, credential phishing, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker with a regular user account to execute arbitrary JavaScript in the browser of any visitor who clicks the \u0026quot;Reply\u0026quot; link on their comments, including site administrators. This can lead to severe consequences such as administrative session hijacking, enabling the attacker to forge administrative actions like content modification or account manipulation. Attackers can also inject fake login forms for credential phishing or exfiltrate sensitive page content and non-\u003ccode\u003eHttpOnly\u003c/code\u003e cookies from the victim's session. While NukeViet session cookies are \u003ccode\u003eHttpOnly\u003c/code\u003e and thus not directly readable, other attack vectors remain viable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch NukeViet CMS to version 4.5.09 or higher immediately to remediate CVE-2026-49259.\u003c/li\u003e\n\u003cli\u003eDeploy a web application firewall (WAF) or equivalent security controls to detect and block XSS payloads within HTTP POST requests targeting user profile update endpoints like \u003ccode\u003e/index.php?nv=users\u0026amp;op=editinfo\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious injection attempts leveraging common XSS patterns in web server logs or WAF alerts.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for \u003ccode\u003e/index.php?nv=users\u0026amp;op=editinfo\u003c/code\u003e \u003ccode\u003ePOST\u003c/code\u003e requests containing URL-encoded XSS payloads in query parameters.\u003c/li\u003e\n\u003cli\u003eEnsure continuous security auditing of any custom code or modifications to NukeViet CMS templates, specifically focusing on adherence to OWASP's Cross Site Scripting Prevention guidelines, particularly Rule 2 regarding attribute encoding for JavaScript contexts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T17:27:14Z","date_published":"2026-07-13T17:27:14Z","id":"https://feed.craftedsignal.io/briefs/2026-07-nukeviet-xss/","summary":"A stored cross-site scripting (XSS) vulnerability, CVE-2026-49259, exists in NukeViet CMS versions 4.x through 4.5.08, including the 'composer/nukeviet/nukeviet' package prior to version 4.5.09, which allows a low-privileged authenticated user to inject JavaScript into their profile's display name fields that executes in the browser of any visitor, including administrators, who clicks the 'Reply' link on a comment posted by the attacker, leading to arbitrary JavaScript execution, administrative session hijacking, credential phishing, and data exfiltration.","title":"NukeViet CMS Stored Cross-Site Scripting Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-nukeviet-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - NukeViet CMS \u003c 4.5.09","version":"https://jsonfeed.org/version/1.1"}