<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Application-Layer - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/application-layer/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 06 Jul 2026 21:34:06 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/application-layer/feed.xml" rel="self" type="application/rss+xml"/><item><title>Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget</title><link>https://feed.craftedsignal.io/briefs/2026-07-dom-xss-craftsupport/</link><pubDate>Mon, 06 Jul 2026 21:34:06 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-dom-xss-craftsupport/</guid><description>An attacker with only a GitHub account can plant a malicious JavaScript payload in a GitHub issue title, leading to a DOM Cross-Site Scripting (XSS) vulnerability (CVE-2026-55790) that executes in a Craft CMS administrator's control panel session when they use the CraftSupport widget and retrieve the poisoned issue, allowing for arbitrary JavaScript execution and potential unauthorized actions.</description><content:encoded><![CDATA[<p>A DOM Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-55790, has been identified in Craft CMS versions prior to 5.9.22 and 4.17.15, impacting the CraftSupport widget. This flaw allows an attacker to inject and execute arbitrary JavaScript code within a Craft CMS administrator's browser session. The attack vector involves an attacker, requiring only a GitHub account and no prior access to the Craft CMS control panel, planting a JavaScript payload within the title of a GitHub issue on the <code>craftcms/cms</code> repository. When a Craft CMS administrator accesses the CraftSupport widget's &quot;Give feedback&quot; screen and searches for a term that returns the attacker-controlled issue, the unsanitized issue title is rendered, causing the malicious payload to execute. This vulnerability is critical as it grants the attacker the ability to perform actions within the administrator's authenticated session.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Attacker creates malicious GitHub issue</strong>: An attacker, using a standard GitHub account, navigates to <code>https://github.com/craftcms/cms/issues/new</code>.</li>
<li><strong>Payload injection</strong>: The attacker crafts a new issue title that combines a plausible search term with a JavaScript payload, e.g., <code>&lt;img src=x onerror=alert(document.domain)&gt; cannot upload files</code>.</li>
<li><strong>Issue submission</strong>: The attacker submits the crafted GitHub issue to the <code>craftcms/cms</code> repository.</li>
<li><strong>Victim accesses Craft CMS dashboard</strong>: A Craft CMS administrator logs into their control panel dashboard.</li>
<li><strong>Victim opens CraftSupport widget</strong>: The administrator opens the CraftSupport widget, typically located on the dashboard.</li>
<li><strong>Victim triggers search</strong>: The administrator clicks &quot;Give feedback&quot; within the widget and types a search term (e.g., <code>cannot upload files</code>) into the search box that matches the attacker's poisoned GitHub issue title.</li>
<li><strong>Client-side rendering and XSS execution</strong>: The CraftSupport widget's JavaScript (<code>CraftSupportWidget.js</code>) fetches the GitHub issue data. The <code>FeedbackScreen.getSearchResultText</code> function returns the issue title verbatim, which is then rendered via jQuery's <code>html:</code> option, leading to immediate execution of the injected JavaScript payload (e.g., <code>alert(document.domain)</code>) in the admin's browser session.</li>
<li><strong>Post-XSS actions</strong>: The executed JavaScript can access the administrator's session context, including CSRF tokens (<code>Craft.csrfTokenName</code>, <code>Craft.csrfTokenValue</code>), allowing the attacker to send same-origin requests and perform unauthorized actions within the Craft CMS control panel.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this DOM XSS vulnerability results in arbitrary JavaScript execution within the targeted Craft CMS administrator's authenticated session. This grants the attacker the ability to perform any action the administrator can, including but not limited to, modifying settings, installing malicious plugins, exfiltrating data, or creating new administrative users. The attacker can leverage the victim's session and automatically obtained CSRF tokens to bypass protections and send authenticated requests. While the attacker relies on the administrator actively using a specific search function, the potential for full administrative compromise poses a significant risk to the integrity and confidentiality of the Craft CMS instance.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-55790 immediately</strong>: Upgrade affected Craft CMS instances to version 5.9.22 or later for Craft CMS 5.x, or 4.17.15 or later for Craft CMS 4.x.</li>
<li><strong>Educate administrators</strong>: Advise Craft CMS administrators to exercise caution when interacting with embedded widgets that fetch external content, especially if search terms are user-controlled and results are displayed without obvious sanitization.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>xss</category><category>web-vulnerability</category><category>craft-cms</category><category>application-layer</category></item></channel></rss>