CVE-2023-26952 in onekeyadmin
Summary
by MITRE • 03/08/2023
onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Add Menu module.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/13/2025
The vulnerability identified as CVE-2023-26952 affects onekeyadmin version 1.3.9 and represents a critical stored cross-site scripting flaw within the Add Menu module. This type of vulnerability falls under CWE-79 which specifically addresses cross-site scripting attacks where malicious scripts are injected into web applications and subsequently executed in the context of other users' browsers. The stored nature of this vulnerability means that the malicious payload is permanently saved on the server and will be served to other users whenever they access the affected functionality, making it particularly dangerous for widespread impact.
The technical implementation of this flaw occurs within the Add Menu module of the onekeyadmin application, where user input is not properly sanitized or validated before being stored and subsequently rendered in the web interface. When an attacker successfully injects malicious JavaScript code through this module, the script becomes persistent within the application's database and executes whenever other users view the affected menu items. This creates a scenario where any user with access to the admin panel or menu display functionality becomes a potential victim of the stored XSS attack, as the malicious code executes in their browser context with their privileges.
The operational impact of this vulnerability extends beyond simple data theft or session hijacking. Attackers can leverage stored XSS to perform a wide range of malicious activities including but not limited to stealing administrator credentials, modifying content, redirecting users to malicious sites, or even executing arbitrary commands on the affected system. The attack surface is particularly concerning given that onekeyadmin is typically used as an administrative tool, meaning that successful exploitation could lead to complete compromise of the administrative interface and potentially the entire underlying system. This vulnerability aligns with ATT&CK technique T1531 which focuses on use of unauthorized system features and T1566 which covers credential access through social engineering and web-based attacks.
Organizations using this vulnerable version of onekeyadmin should immediately implement mitigations including input validation and output encoding for all user-supplied data within the Add Menu module. The recommended approach involves implementing proper sanitization of all input fields, applying strict content security policies, and ensuring that all user-generated content is properly escaped before being stored or rendered. Additionally, organizations should consider implementing web application firewalls to detect and block suspicious payloads, conduct thorough security testing of all administrative modules, and maintain up-to-date vulnerability assessments to identify similar weaknesses in other components of their web applications. The vulnerability demonstrates the critical importance of validating and sanitizing all user inputs in web applications, particularly within administrative interfaces where the potential impact of exploitation is significantly amplified.