Executive Summary

CVE-2026-29598 is a stored cross-site scripting (XSS) vulnerability found in DDSN Interactive Acora CMS version 10.7.1. It exists in the user management functionality, specifically in the submit_add_user.asp endpoint. An attacker, typically an administrator with permissions to add or edit user details, can inject malicious JavaScript code into the First Name and Last Name input fields. This malicious script is then stored persistently in the application's database and executed whenever the affected user data is displayed in the user interface.

Useful 0 Not Useful 0

Impact Analysis

Exploitation of this vulnerability allows attackers to execute arbitrary JavaScript code in the browsers of other users who view the affected user data. This can lead to serious security issues such as session hijacking, credential theft, and unauthorized actions performed on behalf of the victim user.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the user management endpoints, specifically "/submit_add_user.asp" and "/submit_edit_user.asp", for stored cross-site scripting (XSS) issues.

A practical approach is to attempt injecting a crafted JavaScript payload into the "First Name" and "Last Name" input fields when adding or editing a user, then observe if the script executes when the user data is displayed.

Since this is a web application vulnerability, detection commands would involve using web testing tools or scripts rather than simple network commands.

• Use a web proxy tool like Burp Suite or OWASP ZAP to intercept and modify requests to "/submit_add_user.asp" and "/submit_edit_user.asp" by injecting payloads such as <script>alert('XSS')</script> into the "First Name" and "Last Name" fields.
• Manually submit forms with JavaScript payloads and then check the user interface for execution of the injected script.
• Automate testing with tools like OWASP ZAP's active scanner or custom scripts that POST data with XSS payloads to the vulnerable endpoints.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all user inputs on the server side, especially the "First Name" and "Last Name" fields in the user management endpoints.

Implement output encoding to ensure that any stored data is safely rendered in the user interface without executing as code.

Restrict administrative access to trusted users only, as exploitation requires permissions to add or edit user details.

If possible, apply any available patches or updates from the vendor that address this vulnerability.

As a temporary measure, monitor and audit user management activities for suspicious input or behavior.

Useful 0 Not Useful 0

Compliance Impact

The stored cross-site scripting (XSS) vulnerability in DDSN Interactive Acora CMS v10.7.1 allows attackers to execute arbitrary scripts in users' browsers, which can lead to session hijacking, credential theft, and unauthorized actions.

Such security weaknesses can compromise the confidentiality and integrity of user data, potentially violating data protection requirements under regulations like GDPR and HIPAA that mandate safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, this vulnerability may negatively impact compliance with these standards by exposing user data to unauthorized access and misuse.

Useful 0 Not Useful 0