CVE-2020-23656

Vulnerability

NavigateCMS 2.9 is affected by a stored cross-site scripting (XSS) vulnerability in the "Content" module [1]. An authenticated attacker can inject malicious HTML or JavaScript via the Content creation interface. The input is insufficiently sanitized before being stored and later rendered in the administrative panel, as described in [1]. The vulnerability is present in version 2.9; no other versions are mentioned in the provided references.

Exploitation

To exploit this vulnerability, an attacker must have a valid account with access to the Content module. The steps, as reproduced in [1], are: log into the administrative panel, navigate to navigate.php?fid=dashboard, go to the Content module, click "Create", and insert a payload — for example, '><details/open/ontoggle=confirm(1337)> — and save it. When another user (or the same user) views the saved content, the payload executes in the context of the victim's browser session, without requiring user interaction beyond viewing the page.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to theft of session cookies, redirection to malicious sites, or other actions on behalf of the authenticated victim. The impact is limited to user sessions, not server compromise, but can be used to escalate privileges or exfiltrate sensitive data within the CMS [1].

Mitigation

As of August 2020, no official patched version had been released [1]. The issue is tracked in the NavigateCMS GitHub issue #12 [1]. Administrators should restrict access to the Content module to trusted users only, and consider applying input validation and output encoding on all user-supplied data until a fix is available. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.