CVE-2014-4710

Vulnerability

ZeroCMS 1.0 contains a persistent cross-site scripting (XSS) vulnerability in the zero_user_account.php script. The application fails to sanitize the "Full Name" field during user registration, storing unsanitized input in the backend database. This stored data is later executed when any logged-in user visits subsequent pages, leading to script injection. The vulnerability affects ZeroCMS version 1.0 as confirmed by the exploit disclosure [1].

Exploitation

An attacker can exploit this vulnerability by visiting the "Create Account" page (e.g., http://localhost/zerocms/zero_transact_user.php) and entering a malicious XSS payload into the "Full Name" field. No prior authentication is required to register an account. Once the account is created, the payload is stored in the database and automatically executed when any authenticated user (including administrators) views a page that renders the stored data, such as user listings or profile pages [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement of the CMS interface, theft of sensitive information (e.g., cookies, tokens), or further attacks against other users. The impact is elevated because the XSS is persistent and can affect all users who interact with the compromised data [1].

Mitigation

As of the public disclosure date (2014-07-25), no official patch or updated version has been released by the vendor. The vendor was notified on 2014-06-23 but did not provide a fix. Administrators should implement input validation and output encoding for all user-supplied fields, particularly the "Full Name" field, as a workaround. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Users are advised to consider migrating to a supported CMS if no update becomes available [1].