A vulnerability in the @apostrophecms/seo package allows authenticated editors to execute arbitrary JavaScript in the browsers of site visitors, posing a significant risk of session hijacking and data theft.

This is a stored Cross-Site Scripting (XSS) vulnerability occurring because the package injects tracking IDs directly into <script> tags without sanitization. An attacker with editor-level authentication can inject malicious payloads into these fields.

Successful exploitation allows an attacker to execute malicious scripts on every page viewed by visitors, including administrators. Given the CVSS score of 8.7, this is a high-severity risk that could lead to unauthorized access to sensitive user data, credential theft, and severe reputational damage to the hosted platform.

Immediate Action: Update the @apostrophecms/seo package to the latest version provided by the vendor to implement proper input sanitization.

Proactive Monitoring: Monitor site traffic and server logs for anomalous script execution or unusual outbound requests originating from the CMS interface.

Compensating Controls: Deploy a Content Security Policy (CSP) to restrict the execution of unauthorized inline scripts and mitigate the impact of potential XSS attacks.

Public Exploit Available: False

The reliance on unsanitized input for dynamic script generation is a critical security oversight. Organizations utilizing this package must prioritize updating their dependencies immediately to prevent malicious actors from leveraging editor-level access to compromise the entire user base.