<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>ApostropheCMS - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/apostrophecms/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 18:22:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/apostrophecms/feed.xml" rel="self" type="application/rss+xml"/><item><title>ApostropheCMS Stored XSS Vulnerability in SEO Fields Leads to Data Exposure</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-apostrophe-xss/</link><pubDate>Tue, 09 Jan 2024 18:22:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-apostrophe-xss/</guid><description>A stored cross-site scripting (XSS) vulnerability exists in SEO-related fields (SEO Title and Meta Description) in ApostropheCMS v4.28.0, allowing injection of arbitrary JavaScript into HTML contexts, performing authenticated API requests, and exfiltrating sensitive data, leading to a compromise of application confidentiality.</description><content:encoded><![CDATA[<p>A stored cross-site scripting (XSS) vulnerability has been identified in ApostropheCMS, specifically affecting version v4.28.0. The vulnerability resides within the SEO Title and Meta Description fields, where user-controlled input is not properly neutralized. An attacker can inject arbitrary JavaScript code into these fields, which is then rendered in HTML contexts such as <code>&lt;title&gt;</code> tags, <code>&lt;meta&gt;</code> attributes, and structured data (JSON-LD). This injected script executes within the browser of an authenticated user, enabling the attacker to perform actions on their behalf, including making authenticated API requests to retrieve sensitive data such as usernames, email addresses, and roles (including admin), and exfiltrating it to an attacker-controlled server. This can lead to a full compromise of the affected application.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker logs into ApostropheCMS with an account that has permission to edit pages.</li>
<li>The attacker navigates to the page creation or editing interface within the CMS.</li>
<li>The attacker enters a malicious JavaScript payload into the SEO Title or Meta Description field. The payload is designed to execute when a user views the page.</li>
<li>The attacker saves and publishes the page with the injected XSS payload.</li>
<li>An administrator visits the published page via their web browser.</li>
<li>The XSS payload executes within the administrator's browser, using the administrator's authenticated session.</li>
<li>The JavaScript code makes an authenticated API request to <code>/api/v1/@apostrophecms/user</code> to retrieve user data.</li>
<li>The response containing sensitive user data (usernames, email addresses, roles) is then base64 encoded and exfiltrated to an attacker-controlled server at <code>http://ATTACKER-IP:5656/?data=BASE64_ENCODED_RESPONSE</code>.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability allows an attacker to execute arbitrary JavaScript code within the context of an authenticated administrator's session in ApostropheCMS. Successful exploitation allows the attacker to access and exfiltrate sensitive user data, including usernames, email addresses, and roles, potentially leading to privilege escalation and complete compromise of the application and its data.  The vulnerability affects ApostropheCMS versions up to and including v4.28.0.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the &quot;ApostropheCMS XSS in SEO Fields&quot; Sigma rule to detect attempts to inject malicious JavaScript into SEO-related fields (SEO Title and Meta Description).</li>
<li>Monitor web server logs for requests containing the specific API endpoint <code>/api/v1/@apostrophecms/user</code>, especially if the request is initiated from an unusual or unexpected user agent, based on the log source defined in the Sigma rules.</li>
<li>Inspect web server logs for outbound connections to external IPs (ATTACKER-IP) following a request to the vulnerable API endpoint as defined in the iocs section.</li>
<li>Apply patches or upgrade ApostropheCMS to a version beyond 4.28.0 to remediate CVE-2026-35569.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>apostrophecms</category><category>xss</category><category>stored-xss</category><category>data-exfiltration</category></item><item><title>ApostropheCMS Stored XSS Vulnerability in SEO Fields (CVE-2026-35569)</title><link>https://feed.craftedsignal.io/briefs/2024-01-apostrophe-cms-xss/</link><pubDate>Tue, 09 Jan 2024 18:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-apostrophe-cms-xss/</guid><description>A stored XSS vulnerability in ApostropheCMS versions 4.28.0 and prior allows attackers to inject arbitrary JavaScript into SEO-related fields, leading to potential data exfiltration and unauthorized actions.</description><content:encoded><![CDATA[<p>ApostropheCMS, a Node.js content management system, is vulnerable to a stored cross-site scripting (XSS) attack. This vulnerability, identified as CVE-2026-35569, affects versions 4.28.0 and earlier. The flaw resides in SEO-related fields, specifically the SEO Title and Meta Description, where user-controlled input is rendered without proper output encoding. An attacker can inject malicious JavaScript code that executes in the browser of any authenticated user viewing the affected page. The vulnerability has been patched in version 4.29.0. Exploitation of this vulnerability can lead to account takeover, sensitive information disclosure, and further malicious activities.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker authenticates to the ApostropheCMS instance with sufficient privileges to modify SEO-related fields.</li>
<li>The attacker crafts a malicious payload, such as &quot;&gt;&lt;/title&gt;&lt;script&gt;alert(1)&lt;/script&gt;&quot;, designed to break out of the intended HTML context.</li>
<li>The attacker injects the malicious payload into the SEO Title or Meta Description field of a page or content item.</li>
<li>The attacker saves the changes to the page or content item, storing the XSS payload in the database.</li>
<li>An authenticated user views the page or content item with the injected XSS payload.</li>
<li>The malicious JavaScript code executes within the user's browser, allowing the attacker to perform actions on behalf of the user.</li>
<li>The attacker can leverage the XSS to make authenticated API requests to access sensitive data like usernames, email addresses, and roles.</li>
<li>The attacker exfiltrates the stolen data to an attacker-controlled server for further malicious use.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of the stored XSS vulnerability in ApostropheCMS (CVE-2026-35569) can have significant consequences. Attackers can potentially compromise user accounts, steal sensitive data, and perform unauthorized actions within the CMS. The impact depends on the privileges of the compromised user, but could range from defacing content to gaining full administrative control. The vulnerability affects any ApostropheCMS instance running version 4.28.0 or earlier, potentially impacting organizations across various sectors that rely on this CMS for their web content management needs.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade ApostropheCMS to version 4.29.0 or later to patch the vulnerability (CVE-2026-35569).</li>
<li>Implement input validation and output encoding on all user-supplied data, especially in SEO-related fields, to prevent XSS attacks.</li>
<li>Deploy the Sigma rule &quot;Detect ApostropheCMS XSS Payload in HTTP URI&quot; to identify attempts to exploit the vulnerability by monitoring web server logs for suspicious patterns.</li>
<li>Review and audit existing content for potentially malicious code injected into SEO Title and Meta Description fields.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>xss</category><category>apostrophecms</category><category>cve-2026-35569</category><category>web-application</category></item></channel></rss>