CVE-2020-19289

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the /member/picture/album component of Jeesns 1.4.2 [1]. An attacker can inject arbitrary HTML or JavaScript code via a crafted payload in the new album tab, which is then stored and executed when the album page is viewed [1].

Exploitation

An attacker must first register or have a valid user account on the Jeesns application. The attacker navigates to the /member/picture/album endpoint, creates a new album, and submits a crafted payload in the album name or description field. The payload is stored in the database without sanitization [1]. When any user (including administrators) views the album page, the injected script executes in their browser [1].

Impact

Successful exploitation leads to execution of arbitrary JavaScript in the context of the victim's session. This allows theft of session cookies, defacement, or further actions (such as CSRF attacks) as the privileges of the logged-in user. The attacker requires no high privilege level to initiate the attack, just an authenticated session [1].

Mitigation

As of the available references, no fixed version has been released. Users should apply strict input sanitization and output encoding on all user-supplied data in the album creation functionality. Additionally, a Content Security Policy (CSP) can help mitigate execution of injected scripts. Monitoring the project repository for future patches is advised [1].