ApostropheCMS Stored Cross-Site Scripting Vulnerability in SEO Fields

A stored cross-site scripting vulnerability has been identified in ApostropheCMS versions through 4.28.0. The issue resides in SEO-related fields, specifically the SEO Title and Meta Description, where user input is not properly encoded before being rendered in HTML contexts. This flaw allows an attacker to inject scripts that are executed in the browser of any authenticated user who views the affected page. Exploitation of this vulnerability could lead to unauthorized access to sensitive data via internal APIs, such as usernames, email addresses, and user roles.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of an authenticated user, potentially leading to the unauthorized access and exfiltration of sensitive data through internal APIs.

Reproduction

To reproduce this vulnerability, log into ApostropheCMS as an authenticated user and create or edit a page. Navigate to the SEO settings and insert a payload into the SEO Title and Meta Description fields. After saving and publishing the page, the injected script will execute in the browser of an administrator visiting the page, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to upgrade to ApostropheCMS version 4.29.0 or later, which addresses this vulnerability by introducing proper output encoding for SEO fields and a mechanism for safely rendering JSON-LD structured data.