CVE-2020-18414

Vulnerability

Chaoji CMS version 2.18 is affected by a stored cross-site scripting (XSS) vulnerability in the /index.php?admin-master-webset page. The web_tongji parameter is not properly sanitized, allowing an attacker with administrative access to inject arbitrary HTML and JavaScript code. The injected code is stored and executed when the page is viewed by other administrators or users [1].

Exploitation

An attacker must first obtain valid administrator credentials and log in to the Chaoji CMS admin panel. By navigating to /index.php?admin-master-webset and supplying a malicious payload in the web_tongji parameter (e.g., ``), the attacker stores the script. Any user who subsequently loads the affected page will trigger the XSS payload in their browser [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive data displayed within the admin panel. The attack does not grant direct server-side code execution but can be used to perform actions on behalf of the victim administrator [1].

Mitigation

As of the available references [1], the recommended fix is to filter or sanitize the web_tongji parameter to remove or escape HTML tags. The vendor has not yet released an official patched version. Administrators should restrict access to the admin panel and consider using a web application firewall (WAF) as a temporary workaround. If no fix is applied, the vulnerability remains exploitable in Chaoji CMS v2.18 [1].