{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/apostrophe/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["apostrophecms"],"_cs_severities":["high"],"_cs_tags":["cve","weak-password","account-takeover"],"_cs_type":"advisory","_cs_vendors":["Apostrophe"],"content_html":"\u003cp\u003eApostropheCMS is vulnerable to a critical account takeover flaw (CVE-2026-45013) stemming from a weak password reset implementation. The vulnerability resides in \u003ccode\u003emodules/@apostrophecms/login/index.js\u003c/code\u003e within the \u003ccode\u003eresetRequest\u003c/code\u003e route. The issue arises when \u003ccode\u003eapos.baseUrl\u003c/code\u003e is not explicitly configured, causing the application to construct the password reset URL using the \u003ccode\u003eHost\u003c/code\u003e header of the incoming HTTP request. This allows an unauthenticated attacker, knowing a victim\u0026rsquo;s email address, to craft a password reset request that directs the victim to a malicious domain under the attacker\u0026rsquo;s control. The victim unknowingly provides the valid reset token to the attacker when clicking the link, enabling full account takeover. This vulnerability affects ApostropheCMS versions up to and including 4.29.0. It matters for defenders because successful exploitation requires minimal attacker effort and can lead to significant data breaches or unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a valid user\u0026rsquo;s email address, potentially through publicly accessible information on the target website.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request to the \u003ccode\u003e/api/v1/login/reset-request\u003c/code\u003e endpoint, setting the \u003ccode\u003eHost\u003c/code\u003e header to a domain they control (e.g., \u003ccode\u003eevil.attacker.com\u003c/code\u003e). The request body includes the victim\u0026rsquo;s email address in JSON format.\u003c/li\u003e\n\u003cli\u003eThe server, lacking a configured \u003ccode\u003eapos.baseUrl\u003c/code\u003e, uses the attacker-controlled \u003ccode\u003eHost\u003c/code\u003e header to generate a password reset link.\u003c/li\u003e\n\u003cli\u003eThe application sends a password reset email to the victim, containing a URL that points to the attacker\u0026rsquo;s domain. This URL includes a valid, server-generated reset token and the victim\u0026rsquo;s email address as query parameters.\u003c/li\u003e\n\u003cli\u003eThe victim, believing the email to be legitimate, clicks the malicious link.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser sends a GET request to the attacker\u0026rsquo;s server, including the valid reset token and email address in the query parameters.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server captures the reset token and email address from the incoming request.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the captured token and email address to submit a password reset request to the legitimate \u003ccode\u003e/api/v1/login/reset\u003c/code\u003e endpoint, setting a new password for the victim\u0026rsquo;s account, resulting in full account takeover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-45013 allows an attacker to gain full control of any user account for which they know the email address. This can lead to unauthorized access to sensitive data, modification of website content, and potential further compromise of the entire ApostropheCMS instance. The vulnerability requires no authentication and minimal interaction from the victim, making it easily exploitable at scale. The impact is especially high for deployments where \u003ccode\u003eapos.baseUrl\u003c/code\u003e is not configured, which is common in development environments and some production setups.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately configure the \u003ccode\u003eapos.baseUrl\u003c/code\u003e option in your ApostropheCMS deployment to mitigate CVE-2026-45013, as described in the advisory\u0026rsquo;s \u0026ldquo;Remediation\u0026rdquo; section. This will prevent the application from using the attacker-controlled \u003ccode\u003eHost\u003c/code\u003e header when generating password reset URLs.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect ApostropheCMS Weak Password Reset Request\u0026rdquo; to identify attempted exploitation by monitoring for password reset requests with a suspicious Host header.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Access to Password Reset URL\u0026rdquo; to detect when a user clicks on a password reset link from an attacker-controlled host.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T18:30:26Z","date_published":"2026-05-14T18:30:26Z","id":"https://feed.craftedsignal.io/briefs/2026-05-weak-password-reset/","summary":"ApostropheCMS is vulnerable to account takeover due to a weak password recovery mechanism; the password reset flow constructs the reset URL using `req.hostname`, derived from the attacker-controlled HTTP `Host` header when `apos.baseUrl` is not explicitly configured, enabling account takeover if the victim clicks a malicious password reset link.","title":"ApostropheCMS Account Takeover via Weak Password Reset Mechanism (CVE-2026-45013)","url":"https://feed.craftedsignal.io/briefs/2026-05-weak-password-reset/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["apostrophecms (= 4.29.0)"],"_cs_severities":["high"],"_cs_tags":["xss","apostrophecms","cve-2026-45011","javascript"],"_cs_type":"advisory","_cs_vendors":["Apostrophe"],"content_html":"\u003cp\u003eA stored cross-site scripting (XSS) vulnerability exists within the image widget functionality of ApostropheCMS version 4.29.0. An attacker with Editor privileges can inject malicious JavaScript code by configuring an image widget\u0026rsquo;s link field with a \u003ccode\u003ejavascript:\u003c/code\u003e URL. This vulnerability allows the attacker to execute arbitrary JavaScript code in the browsers of other users who interact with the compromised image link, including administrators and public visitors. The vulnerability is identified as CVE-2026-45011.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker logs into ApostropheCMS with Editor privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the home page and enables edit mode.\u003c/li\u003e\n\u003cli\u003eThe attacker adds an Image widget to the main content area.\u003c/li\u003e\n\u003cli\u003eThe attacker selects an existing image from the media library.\u003c/li\u003e\n\u003cli\u003eThe attacker opens the image widget settings.\u003c/li\u003e\n\u003cli\u003eIn the \u0026ldquo;Link to\u0026rdquo; field, the attacker selects the \u0026ldquo;URL\u0026rdquo; option.\u003c/li\u003e\n\u003cli\u003eIn the URL field, the attacker enters a malicious \u003ccode\u003ejavascript:\u003c/code\u003e payload (e.g., \u003ccode\u003ejavascript:alert(document.domain)\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker saves the widget and updates the page, publishing the malicious content.\u003c/li\u003e\n\u003cli\u003eA victim (administrator or guest) visits the published page and clicks on the linked image.\u003c/li\u003e\n\u003cli\u003eThe JavaScript payload executes in the victim\u0026rsquo;s browser, potentially allowing the attacker to perform actions on their behalf.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker with Editor privileges to store a malicious JavaScript payload in a published page within ApostropheCMS. When other users, including administrators or public visitors, click on the affected image link, the injected JavaScript executes in their browsers. This can lead to account compromise, access to sensitive data, modification of content, phishing attacks, and overall compromise of visitors who interact with the malicious image link.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cp\u003ePrioritize the following actions to mitigate this XSS vulnerability:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the vendor\u0026rsquo;s recommended URL validation and sanitization for widget link fields to reject dangerous schemes like \u003ccode\u003ejavascript:\u003c/code\u003e and \u003ccode\u003edata:\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ApostropheCMS XSS via Javascript URL\u003c/code\u003e to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsider implementing a strict Content Security Policy (CSP) to limit the impact of potential XSS vulnerabilities.\u003c/li\u003e\n\u003cli\u003eUpgrade ApostropheCMS to a version that addresses CVE-2026-45011.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T18:30:11Z","date_published":"2026-05-14T18:30:11Z","id":"https://feed.craftedsignal.io/briefs/2026-05-apostrophe-xss/","summary":"A stored cross-site scripting vulnerability (CVE-2026-45011) was identified in ApostropheCMS image widget functionality, where a user with the Editor role can configure an image widget link to use a javascript: URL payload, which will execute arbitrary JavaScript in the victim’s browser when clicked.","title":"ApostropheCMS Stored XSS via Image Widget Link (CVE-2026-45011)","url":"https://feed.craftedsignal.io/briefs/2026-05-apostrophe-xss/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["apostrophecms \u003c= 4.29.0"],"_cs_severities":["high"],"_cs_tags":["ssrf","apostrophecms","cve-2026-45012"],"_cs_type":"advisory","_cs_vendors":["apostrophe"],"content_html":"\u003cp\u003eApostropheCMS versions 4.29.0 and earlier are vulnerable to an authenticated server-side request forgery (SSRF) vulnerability (CVE-2026-45012) within the rich-text widget import functionality. An authenticated user, possessing the ability to submit or edit rich-text widget content, can manipulate the import process to induce the server to issue requests to arbitrary URLs during widget validation. By injecting a crafted \u003ccode\u003e\u0026lt;img src\u0026gt;\u003c/code\u003e tag within the imported HTML, an attacker can trigger the server to fetch content from a specified URL. If the server receives an image-compatible response, ApostropheCMS may persist and re-host the fetched content, creating a vector for exfiltration of sensitive information. This vulnerability enables attackers to perform internal port scanning and potentially exfiltrate data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker logs into the ApostropheCMS application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious rich-text widget payload containing an \u003ccode\u003eimport.html\u003c/code\u003e attribute.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003eimport.html\u003c/code\u003e, the attacker includes an \u003ccode\u003e\u0026lt;img src\u0026gt;\u003c/code\u003e tag pointing to an attacker-controlled URL or internal resource.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the widget payload to the \u003ccode\u003e/api/v1/@apostrophecms/area/validate-widget?aposMode=draft\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe server-side \u003ccode\u003evalidate-widget\u003c/code\u003e route parses the HTML content, identifies the \u003ccode\u003e\u0026lt;img\u0026gt;\u003c/code\u003e tag, and resolves the URL.\u003c/li\u003e\n\u003cli\u003eThe server then performs an HTTP \u003ccode\u003efetch()\u003c/code\u003e request to the resolved URL, as specified in the \u003ccode\u003esrc\u003c/code\u003e attribute.\u003c/li\u003e\n\u003cli\u003eIf the response is image-compatible, ApostropheCMS attempts to process and store the fetched content as an image asset.\u003c/li\u003e\n\u003cli\u003eThe attacker can then access the re-hosted image through a generated image URL, potentially exfiltrating data. If the response is not an image, the SSRF still occurs and can be used for reconnaissance purposes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability, tracked as CVE-2026-45012, allows authenticated users with rich-text widget editing privileges to trigger server-side requests to arbitrary URLs. This can enable attackers to scan internal network resources (127.0.0.1, private subnets), perform blind or semi-blind internal port and service discovery, and potentially exfiltrate data by causing the application to store and re-host fetched image content. The vulnerability affects ApostropheCMS versions 4.29.0 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of ApostropheCMS that addresses the SSRF vulnerability (CVE-2026-45012).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect ApostropheCMS SSRF via validate-widget\u003c/code\u003e to detect requests to the vulnerable API endpoint with potentially malicious image URLs.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for HTTP requests to internal or unusual destinations originating from the ApostropheCMS server.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for user-supplied URLs, especially within rich-text widgets, to prevent the injection of malicious URLs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T18:27:23Z","date_published":"2026-05-14T18:27:23Z","id":"https://feed.craftedsignal.io/briefs/2026-05-apostrophe-ssrf/","summary":"ApostropheCMS is vulnerable to authenticated server-side request forgery (SSRF) via rich-text widget import; an attacker with edit access can trigger server-side requests to attacker-controlled URLs during widget validation, enabling internal port scanning and potential data exfiltration by re-hosting image-compatible responses.","title":"ApostropheCMS Authenticated SSRF via Rich-Text Widget Import (CVE-2026-45012)","url":"https://feed.craftedsignal.io/briefs/2026-05-apostrophe-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Apostrophe","version":"https://jsonfeed.org/version/1.1"}