The vulnerability allows stored cross-site scripting through an unsanitized user display name that appears in a tooltip for draft versions of content. Because the data is stored, any user creating a new content draft can embed arbitrary JavaScript into their display name, which will later be rendered as a tooltip when other users, including administrators, view the draft. The injected payload runs with the privileges of the browser session that opens the tooltip and can steal session cookies, deface the site, or redirect users. This flaw is a typical input validation weakness (CWE-79) and does not require special authentication beyond the ability to create or edit a draft.

This flaw affects ApostropheCMS version 4.29.0 and earlier. The affected product is the open-source Node.js content management system ApostropheCMS from the vendor apostrophecms, product Apostrophe. No patched versions were available at the time of publication.

With a CVSS score of 5.3 the vulnerability is moderate in severity. No EPSS score was published, and the issue is not listed in the CISA KEV catalog, indicating that, while the flaw could be exploited, it is not known to be actively used in the wild. The attack vector is inferred to be B, i.e., local or remote if an attacker can create a draft. An attacker would need to supply an unsanitized user name when creating or editing content. Because the tooltip rendering occurs in the client browser, exploitation requires that a privileged user view the affected draft. The lack of an official patch means that the exposure remains until the software is updated.