Connect-CMS, DOM-based Cross-Site Scripting (XSS), (No CVE) – High severity

Listen to this Post

How the mentioned vulnerability works:

The Cabinet Plugin in Connect-CMS provides a list view that displays file and folder names. This view is rendered client‑side using JavaScript that dynamically injects content into the DOM. When a user creates a cabinet item (file or folder) with a name containing a malicious JavaScript payload (e.g., <img src=x onerror=alert(1)>), the unsanitized string is later retrieved via an API and directly inserted into the DOM using unsafe methods such as innerHTML. Because the payload is not properly escaped or sanitized, the browser executes the injected script in the context of the victim’s session. The flaw requires the attacker to be an authenticated user (to create or modify cabinet items) and the victim to subsequently view the cabinet list. The vulnerability affects all versions from 1.35.0 up to (but not including) 1.41.1, and from 2.35.0 up to (but not including) 2.41.1. The root cause is the absence of proper output encoding when rendering user‑supplied file/folder names in the JavaScript‑driven list view. Exploitation can lead to session hijacking, unauthorized actions performed on behalf of the victim, or theft of sensitive data stored in the browser.

dailycve form:

Platform: Connect-CMS
Version: 1.35.0-1.41.0/2.35.0-2.41.0
Vulnerability: DOM-based XSS
Severity: High
date: Mar 23, 2026

Prediction: Patched Mar 23

What Undercode Say:

Analytics

Check installed Connect-CMS version (composer.json)
cat composer.json | grep '"connect-cms/connect-cms"' | head -1
Alternatively, if version is stored in config
grep -r "VERSION" /path/to/connect-cms/
Detect vulnerable Cabinet Plugin version
Look for version definition in app/Plugins/Cabinet/CabinetPlugin.php
php -r "include 'app/Plugins/Cabinet/CabinetPlugin.php'; echo CabinetPlugin::VERSION;"
Example XSS payload (for testing)
echo '<img src=x onerror=alert(document.cookie)>' > malicious_filename.txt
// Vulnerable pattern (simplified)
function renderCabinetList(items) {
const container = document.getElementById('cabinet-list');
container.innerHTML = items.map(item => <code><div>${item.name}</div></code>).join('');
}
// Fixed pattern (using textContent or sanitization)
function renderCabinetListFixed(items) {
const container = document.getElementById('cabinet-list');
container.innerHTML = '';
items.forEach(item => {
const div = document.createElement('div');
div.textContent = item.name;
container.appendChild(div);
});
}

How Exploit:

  1. Authenticated attacker creates a cabinet folder or file with a name containing a DOM XSS payload (e.g., <img src=x onerror=alert('XSS')>).
  2. Victim with sufficient privileges navigates to the Cabinet Plugin list view.
  3. The client‑side JavaScript fetches the cabinet items and unsafely injects the payload into the DOM.
  4. The payload executes in the victim’s browser, allowing session theft, data exfiltration, or unauthorized actions.

Protection from this CVE

  • Update Connect-CMS to version 1.41.1 (for 1.x series) or 2.41.1 (for 2.x series).
  • If immediate patching is not possible, apply a Content Security Policy (CSP) that disallows `unsafe-inline` for script sources.
  • Sanitize or escape all user‑supplied filenames before rendering them on the client side, using methods like `textContent` or a trusted sanitization library.

Impact

  • Arbitrary JavaScript execution in the victim’s browser context.
  • Potential session hijacking and account takeover.
  • Disclosure of sensitive data accessible to the authenticated user.
  • Ability to perform privileged actions on behalf of the victim.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top