📄 Description (English)
Execution After Redirect (EAR) vulnerability in Sarman Soft Software and Technology Services Industry and Trade Ltd. Co. CMS allows JSON Hijacking (aka JavaScript Hijacking), Authentication Bypass.This issue affects CMS: through 10022026.
NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
🤖 AI Executive Summary
A critical Execution After Redirect (EAR) vulnerability in Sarman Soft CMS versions through 10022026 enables JSON hijacking and authentication bypass attacks with a CVSS score of 8.7. The vulnerability allows attackers to execute arbitrary code after redirect operations, potentially compromising CMS instances across Saudi organizations. With no vendor response to early disclosure and exploit development likely imminent, immediate patching is essential for all affected deployments.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 20:20
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi government agencies, municipalities, and private sector organizations using Sarman Soft CMS for content management and web portals. Government entities under NCA oversight, ARAMCO subsidiary web properties, banking sector customer portals, healthcare facility websites, and telecommunications provider CMS installations are particularly vulnerable. The authentication bypass capability could enable unauthorized access to sensitive administrative functions, customer data, and internal communications. JSON hijacking attacks could lead to session theft and lateral movement within organizational networks.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Healthcare
Energy and Utilities
Telecommunications
Education
E-commerce
Media and Publishing
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.4
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Sarman Soft CMS instances in your environment (versions through 10022026)
2. Isolate affected systems from production networks if patch cannot be applied immediately
3. Review access logs for suspicious redirect patterns and JSON requests
4. Reset all administrative credentials and session tokens
5. Enable enhanced logging for authentication and redirect operations
PATCHING:
1. Contact Sarman Soft directly for available patches (note: vendor has been unresponsive)
2. Apply patches to all CMS instances immediately upon availability
3. Test patches in staging environment before production deployment
4. Implement version control to prevent rollback to vulnerable versions
COMPENSATING CONTROLS (if patch unavailable):
1. Implement Web Application Firewall (WAF) rules to detect and block redirect-based attacks
2. Deploy JSON content validation and sanitization at application layer
3. Enforce strict Content Security Policy (CSP) headers to prevent JavaScript hijacking
4. Implement multi-factor authentication (MFA) for all administrative accounts
5. Use HTTP-only and Secure flags on session cookies
6. Implement rate limiting on authentication endpoints
7. Deploy network segmentation to isolate CMS from critical systems
DETECTION RULES:
1. Monitor for unusual redirect chains (Location header followed by JSON responses)
2. Alert on authentication bypass attempts (successful logins without proper credential validation)
3. Track JSON responses containing executable code or suspicious scripts
4. Monitor for session token manipulation in redirect parameters
5. Log and alert on cross-origin requests to CMS endpoints
6. Implement SIEM rules for POST requests to redirect endpoints with JSON payloads
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ Sarman Soft CMS في بيئتك (الإصدارات حتى 10022026)
2. عزل الأنظمة المتأثرة عن شبكات الإنتاج إذا لم يكن التصحيح متاحاً فوراً
3. مراجعة سجلات الوصول للأنماط المريبة في عمليات إعادة التوجيه
4. إعادة تعيين جميع بيانات اعتماد المسؤولين ورموز الجلسات
5. تفعيل السجلات المحسّنة لعمليات المصادقة وإعادة التوجيه
تطبيق التصحيحات:
1. التواصل مع Sarman Soft للحصول على التصحيحات المتاحة
2. تطبيق التصحيحات على جميع نسخ CMS فوراً عند توفرها
3. اختبار التصحيحات في بيئة الاختبار قبل الإنتاج
4. تنفيذ التحكم في الإصدارات لمنع العودة للإصدارات الضعيفة
الضوابط البديلة (إذا لم يكن التصحيح متاحاً):
1. تنفيذ قواعد جدار حماية تطبيقات الويب لكشف وحجب هجمات إعادة التوجيه
2. نشر التحقق من صحة محتوى JSON والتطهير على مستوى التطبيق
3. فرض سياسة أمان المحتوى الصارمة (CSP)
4. تنفيذ المصادقة متعددة العوامل لجميع حسابات المسؤولين
5. استخدام أعلام HTTP-only و Secure على ملفات تعريف الجلسة
6. تنفيذ تحديد معدل على نقاط نهاية المصادقة
7. نشر تقسيم الشبكة لعزل CMS عن الأنظمة الحرجة
قواعد الكشف:
1. مراقبة سلاسل إعادة التوجيه غير العادية
2. التنبيه على محاولات تجاوز المصادقة
3. تتبع استجابات JSON التي تحتوي على أكواد قابلة للتنفيذ
4. مراقبة معالجة رموز الجلسات في معاملات إعادة التوجيه
5. تسجيل والتنبيه على الطلبات عبر الأصول إلى نقاط نهاية CMS
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Access Control Policy
A.6.2.1 - User Registration and De-registration
A.6.2.2 - User Access Provisioning
A.8.2.1 - User Authentication
A.8.2.3 - Password Management
A.8.3.1 - Access Control Implementation
A.10.1.1 - Event Logging
A.10.1.2 - Protection of Log Information
A.12.4.1 - Event Logging
A.14.2.1 - Secure Development Policy
🔵 SAMA CSF
ID.AM-2 - Software Inventory
PR.AC-1 - Access Control Policy
PR.AC-4 - Access Rights Management
PR.AU-2 - User Activity Monitoring
PR.DS-2 - Data-in-Transit Protection
DE.AE-1 - Anomalies and Events Detection
DE.CM-1 - System Monitoring
RS.AN-1 - Characterization of Incident
🟡 ISO 27001:2022
5.15 - Access Control
5.16 - Authentication
5.23 - Cryptography
8.1 - Information Security Risk Assessment
8.2 - Information Security Risk Treatment
8.22 - Monitoring, Measurement, Analysis and Evaluation
8.23 - Internal Audit
A.5.1 - Policies for Information Security
A.6.1 - Access Control
A.6.2 - User Access Management
A.8.2 - Privileged Access Rights
A.8.3 - Access Control Implementation
A.10.1 - Audit Logging
🟣 PCI DSS v4.0.1
Requirement 2.1 - Configuration Standards
Requirement 6.2 - Security Patches
Requirement 6.5.10 - Broken Authentication
Requirement 7 - Restrict Access to Data
Requirement 8.1 - User Identification
Requirement 8.2 - Authentication
Requirement 10 - Logging and Monitoring
🔗 References & Sources 1