CVE-2020-23974
Description
Create-Project Manager 1.07 has Multi Persistent Cross-site Scripting and HTML injection in via Online chat, Social feed,Message(title-tag), Add new client (all-tags).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Create-Project Manager 1.07 is vulnerable to multiple persistent XSS and HTML injection attacks via chat, social feed, messages, and client creation forms, allowing attacker-controlled script execution.
Vulnerability
Create-Project Manager version 1.07 suffers from multiple persistent Cross-Site Scripting (XSS) and HTML injection vulnerabilities. The flaw exists in several input fields: the Online chat, Social feed, Message (title-tag), and Add new client (all-tags) forms. User-supplied input is not sanitized or encoded before being stored and later rendered, allowing arbitrary HTML and JavaScript to be injected. Affected version is 1.07, though the vendor's CodeCanyon page lists the current version as 1.6, possibly indicating the vulnerability may persist in later releases as well [1][2].
Exploitation
An attacker needs only to access the application and navigate to any of the vulnerable input fields (Online chat, Social feed, Message title-tag, Add new client all-tags). The attacker enters a malicious payload such as vvv or `` and submits the content. The payload is stored on the server and executed when any user (including administrators) views the affected page or receives the message. No special privileges or authentication are required on the part of the attacker, except that they must be able to reach the application's interface [1].
Impact
Successful exploitation leads to persistent XSS, which allows the attacker to execute arbitrary JavaScript in the context of any user who views the injected content. This can lead to session hijacking, theft of sensitive data, defacement, and other attacks against administrators and regular users. The impact is considered high due to the multi-vector nature and the fact that injection occurs in core communication and client management features [1].
Mitigation
As of the available references, no official patch or fixed version has been released. The vendor's page indicates version 1.6, but it is unclear whether this includes a fix. Users are advised to upgrade to the latest available version (1.6 or later) from the CodeCanyon page and verify that input sanitization is applied. As a workaround, a web application firewall (WAF) can be configured to block common XSS payloads. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Create-Project/Project Managerdescription
- Range: = 1.07
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- cxsecurity.com/issue/WLB-2020050071mitrex_refsource_MISC
- packetstormsecurity.com/files/157599/Create-Project-Manager-1.07-Cross-Site-Scripting-HTML-Injection.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.