# SSCMS Reflected Cross-Site Scripting via STL Processing (CVE-2026-7429)

**Author:** Beatriz Fresno Naumova, hss94531\
\
**Date:** 30/04/2026\
\
**Vendor:** siteserver\
\
**Product:** SSCMS\
\
**Version Affected:** 7.4.0\
\
**Component:** STL processing endpoint (`/api/stl/actions/dynamic`)\
\
**CWE:** CWE-79 – Improper Neutralization of Input During Web Page Generation\
\
**Attack Vector:** Network

### Description

SSCMS v7.4.0 contains a Reflected Cross-Site Scripting (XSS) vulnerability in the STL template processing mechanism.

The application receives encrypted parameters via the `/api/stl/actions/dynamic` endpoint in an unauthenticated context. These parameters are decrypted and parsed as STL template content. The `yesTemplate` content is returned directly in the HTML field of the response without proper sanitization or output encoding.

This allows an attacker to inject arbitrary HTML or JavaScript into the response, which is subsequently executed in the victim's browser.

### Impact

Successful exploitation may allow:

* Execution of arbitrary JavaScript in the victim’s browser
* Session hijacking
* Phishing attacks
* Unauthorized actions performed on behalf of authenticated users

### CVSS Details

**CVSS v3.1 Vector:**\
`CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N`

**Base Score:** 4.6 (Medium)

**CVSS v4.0 Vector:**\
`CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N`

**Base Score:** 2.1 (Low)

### Proof of Concept (PoC)

#### Steps to Reproduce

1. **Install SSCMS v7.4.0.**
2. **Identify the vulnerable endpoint:**
   * `/api/stl/actions/dynamic`
   * Accepts encrypted STL content.
3. **Create a malicious STL payload:**

```xml
<stl:if test="true">
  <yesTemplate><![CDATA[<script>alert('XSS')</script>]]></yesTemplate>
</stl:if>
```

4. Encrypt the payload:
   * Use the system’s `security_key`.
   * In lab environments, it may be hardcoded.
   * Alternatively, generate valid STL content as an administrator.
5. Send the payload to the endpoint:
   * Submit the encrypted payload via a POST request.
6. Verify exploitation:
   * The `yesTemplate` content is returned without sanitization.
   * When rendered in the browser, the injected script is executed.

### Mitigation

* Apply proper output encoding when rendering HTML content.
* Sanitize STL template content before processing or rendering it.
* Restrict access to the dynamic STL processing endpoint.
* Avoid processing user-controlled input without proper validation.
* Update to a patched version when available.

### Discoverer

* Beatriz Fresno Naumova
* hss94531

### References

* **CVE:** <https://www.cve.org/CVERecord?id=CVE-2026-7429>
* **VulnCheck Advisory:** <https://www.vulncheck.com/advisories/sscms-reflected-cross-site-scripting-via-stl-processing>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://beafn28.gitbook.io/beafn28/cve-and-poc/sscms-reflected-cross-site-scripting-via-stl-processing-cve-2026-7429.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.