CVE-2018-20370
Description
SZ NetChat before 7.9 has XSS in the MyName input field of the Options module. Attackers are able to inject commands to compromise the enabled HTTP server web frontend.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: < 7.9
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization in the MyName field of the Options module allows persistent JavaScript injection."
Attack vector
An attacker with guest-level restricted authentication can inject persistent JavaScript into the MyName field of the Options module [ref_id=1]. When the built-in HTTP server serves the stored name to other users, the injected script executes in their browsers, leading to cross-site scripting [CWE-79] [ref_id=1]. The attack requires low user interaction — the victim only needs to view the attacker's profile or a page rendered by the HTTP server.
Affected code
The vulnerability is in the MyName input field of the Options module in SZ NetChat before version 7.9 [ref_id=1]. The advisory does not specify exact file paths or function names.
What the fix does
The vendor released version 7.9 to address the issue [ref_id=1]. The advisory does not include a patch diff, but the fix presumably sanitizes or encodes the MyName input to prevent script injection. No further technical details about the remediation are provided in the reference.
Preconditions
- authAttacker must have guest-level (restricted) authentication to the NetChat application
- configThe built-in HTTP server must be enabled to serve the injected content to victims
- inputVictim must access the attacker's profile or a page rendered by the HTTP server
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.vulnerability-lab.com/get_content.phpmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.