CVE-2017-15948
Description
Perch Content Management System 3.0.3 allows unrestricted file upload (with resultant XSS) via the Asset Title field in conjunction with the Select File field. This is exploitable with a Limited Admin account.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Perch CMS 3.0.3 allows Limited Admin users to upload arbitrary files via the Asset Title and Select File fields, leading to stored XSS.
Vulnerability
Perch Content Management System 3.0.3 suffers from an unrestricted file upload vulnerability in the "Adding a New Asset" module. The Asset Title text field and the Select File file upload field in the POST request process insufficiently validate input, allowing an authenticated user with a Limited Admin account to upload a file with arbitrary content (e.g., an HTML or JavaScript file) and set a malicious title that includes script payloads [1]. This results in stored cross-site scripting (XSS) because the injected payload is subsequently rendered in the asset management interface.
Exploitation
An attacker needs a Limited Admin account (lowest administrative privilege) and network access to the Perch CMS admin panel. The attacker navigates to the "Assets" section, selects "Add New Asset", fills the Asset Title field with a crafted XSS payload (e.g., `), and chooses a file (which can be a malicious HTML or JavaScript file) via the Select File` field. Submitting the form stores the malicious title and file on the server. No additional user interaction is required for the XSS to trigger when an admin views the asset list [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the admin interface when other administrators browse the assets. This can lead to session hijacking, creation of new admin accounts, or defacement. The file upload component also enables the placement of arbitrary files (including executable scripts) on the server, potentially enabling remote code execution if the file can be accessed through the web root. The attacker is limited by their existing account privileges but can escalate if XSS targets a more privileged admin [1].
Mitigation
As of the publication date (2017-10-28), no patch or fixed version was available. The vendor was notified but a fix was not confirmed. The recommended workaround is to restrict access to the admin panel, limit Limited Admin accounts to the minimum necessary, and validate all file uploads server-side. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =3.0.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization in the Asset Title field and missing file-type validation in the Select File upload field allow stored XSS and unrestricted file upload."
Attack vector
An attacker with a Limited Admin account sends a POST request to the "Adding a New Asset" module. The `Asset Title` field accepts arbitrary JavaScript payloads that are stored in the database and later rendered unsanitized in the admin interface, causing stored cross-site scripting (XSS) [CWE-79]. Simultaneously, the `Select File` field allows uploading any file type (e.g., a `.html` or `.svg` file containing script code) to the web server, which can then be accessed directly to trigger XSS in a victim's browser [ref_id=1]. The attack requires authenticated access (Limited Admin) and user interaction (the victim must view the asset or uploaded file).
Affected code
The vulnerability resides in the "Adding a New Asset" module of Perch CMS 3.0.3. The `Asset Title` input field and the `Select File` upload field in the POST request handler are both affected — the title field lacks output sanitization, and the file upload field lacks type/extension restrictions [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory [ref_id=1] does not provide a vendor fix or remediation commit. To close the vulnerability, the application should sanitize or encode the `Asset Title` output before rendering it in the admin interface (to prevent stored XSS) and validate the `Select File` upload by restricting allowed file extensions and MIME types (to prevent unrestricted file upload).
Preconditions
- authAttacker must have a Limited Admin account on the Perch CMS instance.
- inputThe victim must browse to the asset management page or directly access the uploaded malicious file.
Reproduction
1. Log in to Perch CMS 3.0.3 with a Limited Admin account. 2. Navigate to the "Adding a New Asset" module. 3. In the `Asset Title` field, enter a JavaScript payload such as `<script>alert(1)</script>`. 4. In the `Select File` field, choose a file with an arbitrary extension (e.g., a `.html` file containing script code). 5. Submit the form. The injected script will execute when an admin views the asset list, and the uploaded file will be accessible at its stored URL [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.vulnerability-lab.com/get_content.phpnvdExploitIssue TrackingPatchThird Party Advisory
News mentions
0No linked articles in our index yet.