| Title | Automad Automad flat-file CMS 2.0.0-alpha.37 Stored Cross Site Scripting |
|---|
| Description | A Stored Cross-Site Scripting (XSS) vulnerability was discovered in Automad flat-file CMS, version 2.0.0-alpha.37. The "Brand" field under the general settings section fails to sanitize user input properly. An attacker can inject malicious JavaScript code which is stored and later executed in the context of the application when the public page is accessed.
Affected Component: "Brand" field in General Data and Files
HTML Element: <textarea id="am-field__brand" name="data[brand]">...</textarea>
Vulnerable Endpoint: /dashboard/shared?section=settings
Test Payload: <script>alert('PoC VulDB Automad CMS')</script>
Steps to Reproduce:
1 - Go to the admin panel: /dashboard/page
2 - Navigate to “General Data and Files”
3 - Inject the payload in the Brand field
4 - Click Publish
5 - Visit: /demo/{page-id}/
The payload is executed, confirming the stored XSS |
|---|
| Source | ⚠️ https://github.com/RaulPazemecxas/PoCVulDb/blob/main/README5.md |
|---|
| User | RaulPACXXX (UID 84502) |
|---|
| Submission | 06/14/2025 11:35 PM (1 month ago) |
|---|
| Moderation | 06/15/2025 03:29 PM (16 hours later) |
|---|
| Status | Duplicate |
|---|
| VulDB Entry | 248684 [automad up to 1.10.9 Setting post.php sitename cross site scripting] |
|---|
| Points | 0 |
|---|