CVE-2020-13888

Vulnerability

Kordil EDMS through version 2.2.60rc3 contains stored cross-site scripting (XSS) vulnerabilities in the users_edit.php, users_management_edit.php, and user_management.php pages. These pages do not properly sanitize user-controlled input before storing it and later rendering it in the browser. The bug is reachable without special prerequisites, as it is part of standard user management functionality. [1]

Exploitation

An attacker with the ability to edit user profiles (typically any authenticated user with user management privileges) can inject malicious JavaScript into fields such as name, email, or other profile attributes. The injected script is stored on the server and executed in the context of any administrator or user who views the affected management pages. No user interaction beyond viewing the page is required for the exploit to trigger.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of anyone viewing the affected pages. This can lead to session cookie theft, exfiltration of sensitive data displayed on the page, or further actions such as impersonating the victim user. The scope of compromise is limited to the browser context, but it can enable further attacks within the EDMS application.

Mitigation

As of the publication date (2020-06-22), the vendor has not released a patched version beyond 2.2.60rc3. Users are advised to restrict access to the user management pages to trusted administrators only, and to monitor for official updates on the project page [1]. No workaround is documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the knowledge cutoff.