CVE-2019-16130

Vulnerability

YII2-CMS v1.0 suffers from a stored cross-site scripting (XSS) vulnerability in the contact form. The name field in protected\core\modules\home\models\Contact.php is not sanitized or length-restricted, despite other fields having validation rules. An attacker can inject malicious JavaScript payloads into the name field, which are then stored on the server and executed when the administrator or any user views the contact submission details [1][2].

Exploitation

The attack is performed by sending a POST request to /contact.html with a crafted Contact[name] parameter containing script tags, such as ``. No authentication is required to submit the form. The payload is stored in the database and rendered without proper output encoding, leading to automatic execution in the browsers of users who access the contact message list or detail page [2].

Impact

A remote, unauthenticated attacker can execute arbitrary JavaScript in the context of any user viewing the contact submissions, including administrators. This can lead to session hijacking, credential theft, or defacement. The CVSS v3.1 score reflects medium severity, but if an admin is targeted, the impact can be elevated [1].

Mitigation

The vendor has not released a patched version. The issue was reported in 2019 and remains unaddressed in the latest available code. Mitigations include manually implementing input validation and output encoding for the name field, or disabling the contact form if not required [1][2].