CVE-2020-22765

Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in NukeViet CMS version 4.4.0 within the editor component of the News module [1][3]. The flaw allows an attacker to inject arbitrary HTML and JavaScript code when creating or editing news articles. The vulnerability is triggered because the editor does not properly sanitize user-supplied input before storing it in the database [3].

Exploitation

To exploit this vulnerability, an attacker must have the ability to post or edit articles in the News module, typically requiring an authenticated account with editor-level privileges. The attacker crafts a malicious payload (e.g., ``) within the editor content. When other users (including administrators) view the affected article, the injected script executes in their browser context [3].

Impact

Successful exploitation leads to arbitrary JavaScript execution in the victim's browser. This can result in session hijacking, cookie theft, redirection to malicious sites, or defacement of the CMS interface. The attack can be used to perform actions on behalf of the victim, potentially compromising the entire site if an administrator views the malicious article [3].

Mitigation

The NukeViet development team addressed this vulnerability in version 4.4.01, released shortly after the report [3]. Users should upgrade to 4.4.01 or later immediately. No official workaround is documented for unpatched installations. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.