CVE-2020-18413

Vulnerability

Chaoji CMS v2.18 contains a stored cross-site scripting (XSS) vulnerability in the /index.php?admin-master-navmenu-add page. The menu_label parameter is not properly sanitized, allowing an authenticated administrator to inject malicious JavaScript code that is stored and executed when other administrators view the menu page [1].

Exploitation

To exploit this vulnerability, an attacker must have administrator-level access to the Chaoji CMS panel. The attacker then visits the URL /index.php?admin-master-navmenu-add and injects a payload (e.g., `) into the menu_label` field. The payload is stored and executed in the browsers of any user who subsequently views the affected navigation menu [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive data. The attack is limited to authenticated administrators, but can compromise the entire admin panel [1].

Mitigation

The vendor has not released a patch as of the publication date. The recommended workaround is to filter and sanitize the menu_label parameter to prevent script injection. Administrators should also restrict access to the admin panel and review any custom code [1].