Summary
Vulnerability: Stored DOM XSS via Pages Added to Menu (Persistent Payload Injection)
- Stored Cross-Site Scripting via Unsafe Rendering of Page Entries in Menu Management
Description
The application fails to properly sanitize user-controlled input when adding Pages to navigation menus through the Menu Management functionality. Page-related data selected via the Pages section is stored server-side and rendered without proper output encoding.
This stored payload is later rendered unsafely within administrative interfaces and public-facing navigation menus, leading to stored DOM-based cross-site scripting (XSS).
Affected Functionality
- Menu Management – Pages section
- Adding pages to navigation menus
- Menu storage and rendering logic
Attack Scenario
- An attacker creates or controls a page containing a malicious JavaScript payload.
- The attacker adds the page to the menu using the Pages functionality in Menu Manager.
- The application stores the menu entry without sanitization or encoding.
- The payload persists and executes whenever the menu is rendered in administrative or public-facing interfaces.
Impact
- Persistent Stored DOM XSS
- Execution of arbitrary JavaScript in victims’ browsers
- Privilege escalation when viewed by administrators or privileged users
- Full administrator account takeover
- Full account takeover across all roles via the navigation menu
- Full compromise of the entire application due to global execution in the navigation menu
Endpoint:
Steps To Reproduce (POC)
- Navigate to the Menu Management section of the application.
- Use the Pages functionality to add a page containing an XSS payload such as:
<img src=x onerror=alert(document.domain)>
- Save the menu entry.
- View the menu in the administrative panel or any public-facing page.
- Observe the JavaScript payload executing automatically when the menu is rendered.
Remediation