CVE-2018-1999021

Vulnerability

Gleez CMS version 1.3.0 contains a stored Cross-Site Scripting (XSS) vulnerability in the profile page editor. The home page URL field does not properly sanitize user input, allowing an attacker to inject arbitrary JavaScript or HTML. The vulnerability is present in the public profile page rendering. No authentication bypass is required; any registered user can exploit it. References: [1], [3].

Exploitation

An attacker must have a registered user account on the Gleez CMS instance. The attacker navigates to their own profile edit page (e.g., /user/edit) and sets the homepage URL field to a malicious payload, such as http://x.x/. After saving, any victim who visits the attacker's public profile page will trigger the injected script. No additional user interaction beyond viewing the profile is required. References: [3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser when the victim visits the attacker's profile page. This can lead to session hijacking, cookie theft, phishing, or other client-side attacks. The impact is limited to the authenticated session of the victim user, but may lead to privilege escalation if the victim is an administrator. References: [1], [3].

Mitigation

As of the available references, no official patch or fixed version has been released. The Gleez CMS repository was archived and is now read-only [3]. Users should consider migrating away from Gleez CMS or implementing a web application firewall (WAF) to filter malicious payloads in profile fields. There is no known workaround short of disabling the profile feature or manual input validation. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.