CVE-2020-14018

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Navigate CMS version 2.9 r1433. The User field and E-Mail field on the user management pages do not sanitize user input, leading to persistent XSS. The malicious payload is stored and executed when viewing the user list via the User field or E-Mail field, and when editing a user via the E-Mail field [1].

Exploitation

An attacker with the ability to create or edit users (at least a user with appropriate permissions, such as an administrator) can inject arbitrary JavaScript into either the User field or the E-Mail field. When another user visits the page to view users (e.g., the user list) or the page to edit users (for the E-Mail field), the injected script is executed in their browser. No special network position is required; the attacker simply needs write access to user data [1].

Impact

Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, data theft, or further actions within the Navigate CMS application. The impact is limited to the browser session of users who view the affected user information [1].

Mitigation

As of the publication date (2020-06-24), no official patch or fixed version has been released for Navigate CMS 2.9 r1433. Users are advised to sanitize user input manually via custom configuration or to restrict access to user management pages to trusted administrators only. No workaround is provided in the available references [1].