CVE-2020-19292

Vulnerability

Jeesns version 1.4.2 contains a stored cross-site scripting (XSS) vulnerability in the /question/ask component. The application fails to sanitize or escape user input in the question text field, allowing arbitrary web scripts or HTML to be stored and later rendered to other users [1].

Exploitation

An attacker can submit a crafted payload (e.g., a JavaScript snippet or malicious HTML) as the question content via the POST /question/ask endpoint. No authentication or special privileges are required beyond being able to access the public question submission form. The payload is stored in the database and executed in the browser of any victim viewing the affected question page [1].

Impact

Successful exploitation leads to arbitrary script execution in the context of the victim's session against the Jeesns application. This can result in theft of session cookies, defacement, or redirection to attacker-controlled sites. The stored XSS persists until the malicious question is removed, affecting all subsequent viewers [1].

Mitigation

The vendor has not released a patched version publicly. The issue was reported via GitHub issue #24 on the Jeesns repository. Users should disable the question posting feature or apply input sanitization (e.g., HTML encoding on output, CSP headers) until an official fix is provided. The software is no longer actively maintained [1].