CVE-2026-36748
Description
Rock RMS versions 16.13 and before 17.7.0 are vulnerable to XSS via social media links in user profiles, allowing privilege escalation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Rock RMS versions 16.13 and before 17.7.0 are vulnerable to XSS via social media links in user profiles, allowing privilege escalation.
Vulnerability
Rock RMS versions 16.13 and before 17.7.0 are affected by a cross-site scripting (XSS) vulnerability within the Social Media Links feature on the user profile page. This vulnerability arises from a lack of input sanitization in the fields intended for social network links on the 'My Account' page. A specially crafted update to these fields can lead to arbitrary JavaScript execution [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious payload within the Social Media Links section of their user profile. The XSS payload is triggered when an administrator views the attacker's profile page. This can be achieved by waiting for an administrator to view new accounts or by social engineering an administrator to view the profile under the guise of troubleshooting an issue. No direct interaction from the target user is required, but the targeted administrator must view the malicious profile [1].
Impact
Successful exploitation allows an attacker to escalate their privileges from a standard user account to an administrator account. This is achieved through arbitrary JavaScript execution within the context of an administrator's browser session. The attacker gains administrative privileges, enabling them to perform actions with elevated permissions within the Rock RMS platform [1].
Mitigation
Rock RMS versions 16.13 and before 17.7.0 are affected. Information regarding a fixed version or a release date for a patch is not yet available in the provided references. No workarounds are currently disclosed [1, 2].
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Social Media Links feature in user profiles lacks server-side input sanitization, allowing for arbitrary JavaScript execution."
Attack vector
An attacker can craft a malicious payload and insert it into the Social Media Links fields within a user's profile page. When an administrator views this profile, the payload executes within the administrator's browser session, leading to privilege escalation. This attack does not require direct interaction from the target administrator, but relies on them visiting the compromised profile page [ref_id=1].
Affected code
The vulnerability resides in the Social Media Links feature within the 'My Account' user profile page. Specifically, the input fields intended for links to social networks are not sanitized server-side. This lack of sanitization allows for the injection of malicious JavaScript payloads [ref_id=1].
What the fix does
The advisory recommends disabling the Social Media Links feature within user profiles to mitigate this vulnerability. This is achieved by navigating to Admin > Settings > General > Person Attributes and unchecking the 'Active' checkbox for each social media type. This action removes the vulnerable input fields from the 'My Account' page, thereby eliminating the attack surface [ref_id=1]. The patch does not show specific code changes, but this configuration change effectively prevents the vulnerability.
Preconditions
- configThe Social Media Links feature must be enabled within the Rock RMS settings [ref_id=1].
- authThe attacker must have a standard user account to modify their profile.
- networkThe administrator must view the compromised user profile page.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.