Mercator Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Mercator versions prior to 2026.02.22. This vulnerability arises from the use of unescaped Blade directives in display templates, allowing authenticated users with the User role to inject arbitrary JavaScript into fields like 'contact point' when creating or editing entities. The injected script is executed in the browsers of users viewing the affected page, including administrators.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page. In this case, it can lead to the exfiltration of an administrator's XSRF-TOKEN, potentially allowing an attacker to perform actions on behalf of the administrator.

Reproduction

To reproduce this vulnerability, an authenticated user with the User role can inject a JavaScript payload into the 'contact point' field while creating or editing an entity. Once the entity is saved, the injected script will execute in the browser of any user who views the page, including administrators.

Remediation

Users can update to Mercator version 2026.02.22 or later, which addresses this vulnerability by sanitizing input through the 'mews/purifier' package and correcting Blade template rendering. Instructions for updating can be found in the Mercator repository on GitHub.