Full Report
CERT Polska has received a report about 3 vulnerabilities (from CVE-2026-24350 to CVE-2026-24352) found in PluXml CMS software.
Analysis Summary
As a vulnerability research specialist, here is the structured summary of the reported flaws in PluXml CMS:
# Vulnerability: PluXml CMS Stored XSS and Session Fixation Flaws
## CVE Details
- CVE ID: CVE-2026-24350
- CVSS Score: Not provided (Severity unknown, but associated with Stored XSS)
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation - XSS)
- CVE ID: CVE-2026-24351
- CVSS Score: Not provided (Severity unknown, but associated with Stored XSS)
- CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation - XSS)
- CVE ID: CVE-2026-24352
- CVSS Score: Not provided (Severity unknown, but associated with Session Fixation)
- CWE: CWE-384 (Session Fixation)
## Affected Systems
- Products: PluXml CMS
- Versions: 5.8.21 and 5.9.0-rc7 (Other versions may also be vulnerable as only these were tested)
- Configurations: Requires authentication for CVE-2026-24350 and CVE-2026-24351. CVE-2026-24352 relates to session handling pre- and post-authentication.
## Vulnerability Description
**CVE-2026-24350 (Stored XSS via File Upload):** An authenticated attacker can upload a malicious SVG file. When a victim clicks the link to this uploaded image, the malicious payload is executed. In version 5.9.0-rc7, accessing the file directly also executes the payload.
**CVE-2026-24351 (Stored XSS via Static Pages):** An attacker with editing privileges for static pages can inject arbitrary HTML and JavaScript. This malicious content is rendered and executed when any user visits the edited page.
**CVE-2026-24352 (Session Fixation):** The system allows a session identifier to be set before user authentication. Crucially, this session ID is retained after authentication, allowing an attacker to pre-fix a session ID for a victim and subsequently hijack the victim's authenticated session.
## Exploitation
- Status: Details on active exploitation or PoC availability are **Not provided** in the summary.
- Complexity: Likely **Medium** as authentication is required for the XSS vectors, but the Session Fixation only requires an attacker to manipulate session ID assignment.
- Attack Vector: Network (via Web Interface).
## Impact
*Note: Specific impact levels are not quantified (e.g., Confidentiality Impact is Partial/Complete). Based on vulnerability types:*
- Confidentiality: Potential for sensitive data theft via XSS payloads.
- Integrity: Potential for unauthorized modification of application state or data via XSS.
- Availability: Potential for denial of service or session disruption via session hijacking/XSS.
## Remediation
### Patches
- Vendor did not respond with official patch details prior to public disclosure of these findings. **Specific patched versions are currently unknown.** Users should seek the latest stable release from PluXml if available.
### Workarounds
- Implement strict input validation and output encoding for all user-supplied data, especially in file uploads and static page content (to mitigate XSS).
- Implement strong session management policies, ensuring new session IDs are generated upon successful authentication (to mitigate Session Fixation).
- Restrict file upload capabilities to highly trusted users only if possible.
## Detection
- **Indicators of compromise:** Look for unexpected JavaScript execution in the browser context of users (XSS) or abnormal session takeover activity.
- **Detection methods and tools:** Web Application Firewalls (WAF) may detect common XSS payloads in uploaded files or database entries. Review server logs for unusual file uploads or POST requests targeting content management functions.
## References
- Vendor advisories: None explicitly listed, as the vendor had not responded with details.
- Relevant links - defanged:
- https://incydent.cert.pl/#!/lang=en
- https://cert.pl/en/cvd/