CVE-2020-23655
Description
NavigateCMS 2.9 is affected by Cross Site Scripting (XSS) on module "Configuration."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NavigateCMS 2.9 Configuration module has a stored XSS vulnerability via unsanitized user input in the 'fid' parameter.
Vulnerability
The NavigateCMS 2.9 Configuration module is vulnerable to stored Cross-Site Scripting (XSS) when an authenticated user injects malicious HTML/JavaScript into the fid parameter via the /navigate/navigate.php endpoint. The bug resides in the lack of proper output encoding or sanitization for reflected user-controlled data. Affected versions: NavigateCMS 2.9 (and possibly earlier).
Exploitation
An attacker must first authenticate to the CMS panel. Then, they can navigate to any of the listed fid endpoints (e.g., ?fid=users, ?fid=profiles, etc.) and use the "Create" action to insert a payload such as '><details/open/ontoggle=confirm(1337)>. The injected script will be stored and subsequently executed in the victim's browser when the page is rendered, without requiring any additional user interaction.
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to theft of session cookies, redirection to attacker-controlled sites, or other malicious operations performed under the guise of the legitimate CMS interface.
Mitigation
As of the referenced GitHub issue [1], no official patch has been released. Mitigation requires developers to HTML-entity encode all user-supplied output before reflection back to the page. Until a fix is deployed, administrators should restrict access to the Configuration module to trusted users only and avoid using the vulnerable fid endpoints with untrusted input.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- NavigateCMS/NavigateCMSdescription
- Range: = 2.9
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Insufficient output encoding in the Configuration module allows stored cross-site scripting."
Attack vector
An authenticated attacker with panel access navigates to the Configuration module and uses the "Create" action to inject a stored XSS payload such as `'>
Affected code
The vulnerability exists in the "Configuration" module of NavigateCMS 2.9, accessible via `/navigate/navigate.php?fid=about` and related endpoints such as `fid=users`, `fid=profiles`, `fid=menus`, `fid=functions`, and `fid=backups` [ref_id=1]. The advisory does not specify a particular source file or function name.
What the fix does
No patch is provided in the advisory. The reporter recommends that instead of merely stripping script tags, the application should HTML-entity-encode any output reflected back to the page [ref_id=1]. Until a fix is applied, administrators should sanitize all user-supplied input in the Configuration module and ensure output encoding is enforced.
Preconditions
- authAttacker must be authenticated to the NavigateCMS panel
- configAttacker must have access to the Configuration module
- inputPayload is submitted via the 'Create' action in the Configuration module
Reproduction
Login to the NavigateCMS panel. Navigate to `/navigate/navigate.php?fid=about`, then go to the "Configuration" module. Choose any of the listed sub-pages (`fid=users`, `fid=profiles`, `fid=menus`, `fid=functions`, `fid=backups`), click "Create", and insert the payload `'>
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/NavigateCMS/Navigate-CMS/issues/11mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.