CVE-2018-25331

Vulnerability

The Zenar Content Management System (versions up to and including 7.0 [2]) contains a reflected cross-site scripting vulnerability in the ajax.php endpoint. The current_page parameter is accepted via POST request and reflected in the HTML response without proper sanitization or encoding [1]. This allows an attacker to inject arbitrary HTML and JavaScript code.

Exploitation

An unauthenticated attacker can craft a POST request to /zenario/ajax.php?method_call=refreshPlugin&inIframe=true with a malicious payload in the current_page parameter, such as '--> [1]. The response reflects the payload directly into a hidden input field's value, causing the script to execute in the context of the victim's browser. Exploitation requires the victim to be tricked into submitting the crafted request (e.g., via a malicious link or form submission).

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser within the Zenar CMS application's origin. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the page.

Mitigation

No official patch is available as of this writing. Users should apply input validation and output encoding on the current_page parameter to neutralize script injection. If possible, restrict access to the ajax.php endpoint or upgrade to a version above 7.0 if a fix is released by the vendor.