Apostrophe
Monthly
Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object.prototype via the $pullAll patch operator, ultimately bypassing authorization on all piece-type REST API endpoints for unauthenticated requests until the Node.js process restarts. The flaw stems from apos.util.set() failing to sanitize __proto__ in dot-notation paths, and no public exploit identified at time of analysis but the advisory describes a confirmed exploitation gadget in publicApiCheck(). No vendor-released patch identified at time of analysis, making this an open-window risk for any internet-exposed editor account.
Server-Side Request Forgery in ApostropheCMS through version 4.30.0 allows unauthenticated remote attackers to pivot the Node.js application process into issuing outbound HTTP requests to arbitrary hosts on the internal network when the `prettyUrls` SEO feature is explicitly enabled on the `@apostrophecms/file` module. The attack exploits the raw `Host` HTTP request header, which the pretty-URL handler uses verbatim to construct and `fetch()` an upstream URL, streaming the full HTTP response - status code, headers, and body - back to the requester. Practical impact is constrained to blind SSRF (network-topology probing via response-code and timing oracles, and verbose proxy or WAF error-body disclosure) rather than arbitrary data exfiltration; no patch exists at time of publication and no public exploit has been identified.
Stored cross-site scripting in ApostropheCMS up to and including version 4.29.0 allows an attacker who controls a user account to inject malicious script into the draft version tooltip via an unsanitized display name field. Any editor or administrator who subsequently views that tooltip in the CMS backend will execute the attacker's payload in their browser, enabling session hijacking or unauthorized action execution. No public exploit has been identified at time of analysis and no patched version is available per the vendor advisory.
Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object.prototype via the $pullAll patch operator, ultimately bypassing authorization on all piece-type REST API endpoints for unauthenticated requests until the Node.js process restarts. The flaw stems from apos.util.set() failing to sanitize __proto__ in dot-notation paths, and no public exploit identified at time of analysis but the advisory describes a confirmed exploitation gadget in publicApiCheck(). No vendor-released patch identified at time of analysis, making this an open-window risk for any internet-exposed editor account.
Server-Side Request Forgery in ApostropheCMS through version 4.30.0 allows unauthenticated remote attackers to pivot the Node.js application process into issuing outbound HTTP requests to arbitrary hosts on the internal network when the `prettyUrls` SEO feature is explicitly enabled on the `@apostrophecms/file` module. The attack exploits the raw `Host` HTTP request header, which the pretty-URL handler uses verbatim to construct and `fetch()` an upstream URL, streaming the full HTTP response - status code, headers, and body - back to the requester. Practical impact is constrained to blind SSRF (network-topology probing via response-code and timing oracles, and verbose proxy or WAF error-body disclosure) rather than arbitrary data exfiltration; no patch exists at time of publication and no public exploit has been identified.
Stored cross-site scripting in ApostropheCMS up to and including version 4.29.0 allows an attacker who controls a user account to inject malicious script into the draft version tooltip via an unsanitized display name field. Any editor or administrator who subsequently views that tooltip in the CMS backend will execute the attacker's payload in their browser, enabling session hijacking or unauthorized action execution. No public exploit has been identified at time of analysis and no patched version is available per the vendor advisory.