CVE-2019-9553

Vulnerability

Description CVE-2019-9553 is a stored cross-site scripting (XSS) vulnerability in Bolt CMS version 3.6.4. The flaw exists because the application fails to properly sanitize user input in the slug, teaser, and title parameters when editing content in the /editcontent/pages endpoint. This issue is related to previously identified XSS vulnerabilities CVE-2017-11128 and CVE-2018-19933 [2].

Exploitation

An attacker with authenticated access to the Bolt CMS backend can exploit this vulnerability by sending a crafted POST request to /bolt/editcontent/pages. The provided exploit demonstrates injecting a ` tag into the title` parameter, which is then stored and executed when other users view the affected page [3]. No special privileges beyond content editing are required.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of any user visiting the compromised page. This can lead to session hijacking, defacement, or theft of sensitive information. The vulnerability is classified as stored XSS, meaning the malicious script persists across sessions and affects all subsequent visitors [2][3].

Mitigation

Bolt CMS has addressed this issue in later versions. Users are strongly advised to upgrade to a supported release (e.g., Bolt 5) as the 3.x series is no longer actively maintained [4]. No official patch for 3.6.4 is available; upgrading or applying input validation filters is recommended.