{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/apostrophecms/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-35569"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ApostropheCMS"],"_cs_severities":["high"],"_cs_tags":["apostrophecms","xss","stored-xss","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":["ApostropheCMS"],"content_html":"\u003cp\u003eA stored cross-site scripting (XSS) vulnerability has been identified in ApostropheCMS, specifically affecting version v4.28.0. The vulnerability resides within the SEO Title and Meta Description fields, where user-controlled input is not properly neutralized. An attacker can inject arbitrary JavaScript code into these fields, which is then rendered in HTML contexts such as \u003ccode\u003e\u0026lt;title\u0026gt;\u003c/code\u003e tags, \u003ccode\u003e\u0026lt;meta\u0026gt;\u003c/code\u003e attributes, and structured data (JSON-LD). This injected script executes within the browser of an authenticated user, enabling the attacker to perform actions on their behalf, including making authenticated API requests to retrieve sensitive data such as usernames, email addresses, and roles (including admin), and exfiltrating it to an attacker-controlled server. This can lead to a full compromise of the affected application.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker logs into ApostropheCMS with an account that has permission to edit pages.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the page creation or editing interface within the CMS.\u003c/li\u003e\n\u003cli\u003eThe attacker enters a malicious JavaScript payload into the SEO Title or Meta Description field. The payload is designed to execute when a user views the page.\u003c/li\u003e\n\u003cli\u003eThe attacker saves and publishes the page with the injected XSS payload.\u003c/li\u003e\n\u003cli\u003eAn administrator visits the published page via their web browser.\u003c/li\u003e\n\u003cli\u003eThe XSS payload executes within the administrator's browser, using the administrator's authenticated session.\u003c/li\u003e\n\u003cli\u003eThe JavaScript code makes an authenticated API request to \u003ccode\u003e/api/v1/@apostrophecms/user\u003c/code\u003e to retrieve user data.\u003c/li\u003e\n\u003cli\u003eThe response containing sensitive user data (usernames, email addresses, roles) is then base64 encoded and exfiltrated to an attacker-controlled server at \u003ccode\u003ehttp://ATTACKER-IP:5656/?data=BASE64_ENCODED_RESPONSE\u003c/code\u003e.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability allows an attacker to execute arbitrary JavaScript code within the context of an authenticated administrator's session in ApostropheCMS. Successful exploitation allows the attacker to access and exfiltrate sensitive user data, including usernames, email addresses, and roles, potentially leading to privilege escalation and complete compromise of the application and its data.  The vulnerability affects ApostropheCMS versions up to and including v4.28.0.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026quot;ApostropheCMS XSS in SEO Fields\u0026quot; Sigma rule to detect attempts to inject malicious JavaScript into SEO-related fields (SEO Title and Meta Description).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing the specific API endpoint \u003ccode\u003e/api/v1/@apostrophecms/user\u003c/code\u003e, especially if the request is initiated from an unusual or unexpected user agent, based on the log source defined in the Sigma rules.\u003c/li\u003e\n\u003cli\u003eInspect web server logs for outbound connections to external IPs (ATTACKER-IP) following a request to the vulnerable API endpoint as defined in the iocs section.\u003c/li\u003e\n\u003cli\u003eApply patches or upgrade ApostropheCMS to a version beyond 4.28.0 to remediate CVE-2026-35569.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:22:00Z","date_published":"2024-01-09T18:22:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-09-apostrophe-xss/","summary":"A stored cross-site scripting (XSS) vulnerability exists in SEO-related fields (SEO Title and Meta Description) in ApostropheCMS v4.28.0, allowing injection of arbitrary JavaScript into HTML contexts, performing authenticated API requests, and exfiltrating sensitive data, leading to a compromise of application confidentiality.","title":"ApostropheCMS Stored XSS Vulnerability in SEO Fields Leads to Data Exposure","url":"https://feed.craftedsignal.io/briefs/2024-01-09-apostrophe-xss/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.7,"id":"CVE-2026-35569"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ApostropheCMS"],"_cs_severities":["high"],"_cs_tags":["xss","apostrophecms","cve-2026-35569","web-application"],"_cs_type":"advisory","_cs_vendors":["ApostropheCMS"],"content_html":"\u003cp\u003eApostropheCMS, a Node.js content management system, is vulnerable to a stored cross-site scripting (XSS) attack. This vulnerability, identified as CVE-2026-35569, affects versions 4.28.0 and earlier. The flaw resides in SEO-related fields, specifically the SEO Title and Meta Description, where user-controlled input is rendered without proper output encoding. An attacker can inject malicious JavaScript code that executes in the browser of any authenticated user viewing the affected page. The vulnerability has been patched in version 4.29.0. Exploitation of this vulnerability can lead to account takeover, sensitive information disclosure, and further malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the ApostropheCMS instance with sufficient privileges to modify SEO-related fields.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload, such as \u0026quot;\u0026gt;\u0026lt;/title\u0026gt;\u0026lt;script\u0026gt;alert(1)\u0026lt;/script\u0026gt;\u0026quot;, designed to break out of the intended HTML context.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the malicious payload into the SEO Title or Meta Description field of a page or content item.\u003c/li\u003e\n\u003cli\u003eThe attacker saves the changes to the page or content item, storing the XSS payload in the database.\u003c/li\u003e\n\u003cli\u003eAn authenticated user views the page or content item with the injected XSS payload.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript code executes within the user's browser, allowing the attacker to perform actions on behalf of the user.\u003c/li\u003e\n\u003cli\u003eThe attacker can leverage the XSS to make authenticated API requests to access sensitive data like usernames, email addresses, and roles.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates the stolen data to an attacker-controlled server for further malicious use.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the stored XSS vulnerability in ApostropheCMS (CVE-2026-35569) can have significant consequences. Attackers can potentially compromise user accounts, steal sensitive data, and perform unauthorized actions within the CMS. The impact depends on the privileges of the compromised user, but could range from defacing content to gaining full administrative control. The vulnerability affects any ApostropheCMS instance running version 4.28.0 or earlier, potentially impacting organizations across various sectors that rely on this CMS for their web content management needs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ApostropheCMS to version 4.29.0 or later to patch the vulnerability (CVE-2026-35569).\u003c/li\u003e\n\u003cli\u003eImplement input validation and output encoding on all user-supplied data, especially in SEO-related fields, to prevent XSS attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect ApostropheCMS XSS Payload in HTTP URI\u0026quot; to identify attempts to exploit the vulnerability by monitoring web server logs for suspicious patterns.\u003c/li\u003e\n\u003cli\u003eReview and audit existing content for potentially malicious code injected into SEO Title and Meta Description fields.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:00:00Z","date_published":"2024-01-09T18:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-apostrophe-cms-xss/","summary":"A stored XSS vulnerability in ApostropheCMS versions 4.28.0 and prior allows attackers to inject arbitrary JavaScript into SEO-related fields, leading to potential data exfiltration and unauthorized actions.","title":"ApostropheCMS Stored XSS Vulnerability in SEO Fields (CVE-2026-35569)","url":"https://feed.craftedsignal.io/briefs/2024-01-apostrophe-cms-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - ApostropheCMS","version":"https://jsonfeed.org/version/1.1"}