SSCMS Reflected Cross-Site Scripting via STL Processing (CVE-2026-7429)

Author: Beatriz Fresno Naumova, hss94531 Date: 30/04/2026 Vendor: siteserver Product: SSCMS Version Affected: 7.4.0 Component: STL processing endpoint (/api/stl/actions/dynamic) CWE: CWE-79 – Improper Neutralization of Input During Web Page Generation Attack Vector: Network

Description

SSCMS v7.4.0 contains a Reflected Cross-Site Scripting (XSS) vulnerability in the STL template processing mechanism.

The application receives encrypted parameters via the /api/stl/actions/dynamic endpoint in an unauthenticated context. These parameters are decrypted and parsed as STL template content. The yesTemplate content is returned directly in the HTML field of the response without proper sanitization or output encoding.

This allows an attacker to inject arbitrary HTML or JavaScript into the response, which is subsequently executed in the victim's browser.

Impact

Successful exploitation may allow:

• Execution of arbitrary JavaScript in the victim’s browser

• Session hijacking

• Phishing attacks

• Unauthorized actions performed on behalf of authenticated users

CVSS Details

CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Base Score: 4.6 (Medium)

CVSS v4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Base Score: 2.1 (Low)

Proof of Concept (PoC)

Steps to Reproduce

1. Install SSCMS v7.4.0.

2. Identify the vulnerable endpoint:

   • /api/stl/actions/dynamic

   • Accepts encrypted STL content.

3. Create a malicious STL payload:

<stl:if test="true">
  <yesTemplate><![CDATA[<script>alert('XSS')</script>]]></yesTemplate>
</stl:if>

1. Encrypt the payload:

   • Use the system’s security_key.

   • In lab environments, it may be hardcoded.

   • Alternatively, generate valid STL content as an administrator.

2. Send the payload to the endpoint:

   • Submit the encrypted payload via a POST request.

3. Verify exploitation:

   • The yesTemplate content is returned without sanitization.

   • When rendered in the browser, the injected script is executed.

Mitigation

• Apply proper output encoding when rendering HTML content.

• Sanitize STL template content before processing or rendering it.

• Restrict access to the dynamic STL processing endpoint.

• Avoid processing user-controlled input without proper validation.

• Update to a patched version when available.

Discoverer

• Beatriz Fresno Naumova

• hss94531

References

• CVE: https://www.cve.org/CVERecord?id=CVE-2026-7429

• VulnCheck Advisory: https://www.vulncheck.com/advisories/sscms-reflected-cross-site-scripting-via-stl-processing