Threat Intelligence Database

ApostropheCMS versions up to and including 4.30.0 contain a prototype pollution vulnerability in the apos.util.set() function. This allows an authenticated editor to modify Object.prototype via the $pullAll patch operator. The vulnerability enables bypassing authorization on all piece-type REST API endpoints for all subsequent unauthenticated requests during the Node.js process lifetime. No patched versions are currently available.

ApostropheCMS versions up to and including 4.29.0 contain a stored cross-site scripting (XSS) vulnerability. This occurs due to improper neutralization of user input in the display name shown in draft version tooltips. No patched versions are currently available for this vulnerability. The CVSS 4.0 base score is 5.3, indicating a medium severity risk.

ApostropheCMS versions up to and including 4.29.0 have an improper input validation vulnerability in the password reset flow. The reset URL is constructed using the HTTP Host header without proper validation when apos.baseUrl is not configured. An unauthenticated attacker can exploit this by sending a crafted reset request that causes the victim to receive a reset link pointing to the attacker's domain. Clicking the link exposes the valid reset token to the attacker, enabling full account takeover. No patch is currently available for this vulnerability.

ApostropheCMS versions up to and including 4.29.0 contain an authenticated server-side request forgery (SSRF) vulnerability in the rich-text widget import flow. An authenticated user able to submit or edit rich-text widget content can cause the server to fetch URLs controlled by an attacker during widget validation. If the response is image-compatible, the content can be persisted and re-hosted by ApostropheCMS, enabling potential exfiltration of the response data. No patched versions are currently available for this vulnerability.

ApostropheCMS version 4.29.0 contains a stored cross-site scripting (XSS) vulnerability in its image widget functionality. An Editor-level user can configure an image widget link with a javascript: URL, which can be published to the live site. When other users, including administrators or public visitors, click the malicious link, arbitrary JavaScript executes in their browsers. No patched versions are currently available for this vulnerability.