ApostropheCMS 4.28.0 is vulnerable to a cross-site scripting (CWE-79) issue due to a regression in its sanitize-html dependency (version 2.17.1). The sanitize-html code incorrectly assumes that htmlparser2 does not decode entities inside textarea and option elements, skipping escaping for these tags. However, htmlparser2 10.x decodes entities before text is processed, allowing entity-encoded HTML to be decoded and injected as literal HTML, bypassing allowedTags filtering. This enables attackers to inject arbitrary tags, including XSS payloads, through allowed option or textarea elements. The vulnerability affects non-default configurations that include these tags in allowedTags. The issue was fixed in sanitize-html 2.17.2 and ApostropheCMS 4.29.0.

An attacker can inject arbitrary HTML tags, including malicious scripts, into ApostropheCMS instances configured to allow option or textarea tags, leading to cross-site scripting attacks. This can result in limited confidentiality and integrity impacts via script execution in the context of the affected web application. The vulnerability requires user interaction (UI:R) and has network attack vector (AV:N) with low attack complexity (AC:L) and no privileges required (PR:N). There are no known exploits in the wild at this time.

A fix is available. Users should upgrade ApostropheCMS to version 4.29.0 or later, which includes the patched sanitize-html dependency version 2.17.2. Applying these updates will resolve the XSS vulnerability. Until upgraded, avoid configurations that allow option or textarea tags in allowedTags or apply additional input validation controls. Patch status is confirmed by the vendor advisory indicating the fix in version 4.29.0.