Summary
Vulnerability: Stored DOM XSS via Blog Tag Name (Persistent Payload Injection)
- Stored Cross-Site Scripting via Unsanitized Blog Tag Name in Blog Management
Description
The application fails to properly sanitize user-controlled input when creating or editing blog tags. An attacker can inject a malicious JavaScript payload into the tag name field, which is then stored server-side.
This stored payload is later rendered unsafely across public tag pages and administrative interfaces without proper output encoding, leading to stored cross-site scripting (XSS).
Affected Functionality
- Blog tag creation functionality
- Blog tag editing functionality
- Blog tag storage and retrieval logic
Attack Scenario
- An attacker creates or edits a blog tag name to include a malicious XSS payload.
- The application stores this value without sanitization or encoding.
- The payload persists and executes whenever the tag name is rendered in affected views.
Impact
- Persistent Stored XSS
- Execution of arbitrary JavaScript in victims’ browsers
- Privilege escalation when viewed by administrators or privileged users
- Full administrator account takeover
- Full account takeover across all roles
- Full compromise of the entire application
Endpoints:
/backend/blogs/tags//blog/{id}
Steps To Reproduce (POC)
- Go to the Blog Tags management page
- Create or edit a tag and insert an XSS payload into the tag name such as:
<img src=x onerror=alert(document.domain)>
- Save the tag
- View a public blog page or the administrative interface where the tag is rendered
- Notice the XSS payload executing automatically
Remediation
- Avoid unsafe DOM manipulation methods: Do not use
.html(), innerHTML, or similar sink functions in client-side JavaScript or server-side templating (e.g., PHP). Even when user input flowing into these sinks is not immediately apparent, they can introduce Cross-Site Scripting (XSS) vulnerabilities that an...