VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 21, 2020· Updated Aug 4, 2024

CVE-2020-35275

CVE-2020-35275

Description

Coastercms v5.8.18 is affected by cross-site Scripting (XSS). A user can steal a cookie and make the user redirect to any malicious website because it is trigged on the main home page of the product/application.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Coastercms v5.8.18 contains a stored XSS in the Edit Page tab, allowing authenticated attackers to inject arbitrary JavaScript that executes on the main home page.

Vulnerability

Coastercms v5.8.18 is affected by a stored cross-site scripting (XSS) vulnerability in the Edit Page tab. An authenticated user can inject malicious scripts into page content, which are stored and later executed when the main home page is viewed. The vulnerable parameter is the page editor, and the issue is triggered on the home page of the application [1].

Exploitation

An attacker must have valid admin credentials to access the admin panel. The steps are: log in to /admin/login, navigate to Pages → Homepage → Our Blog, click the edit button, insert a payload such as ` or test`, and click update. After saving, clicking "View live page" redirects to the live page where the stored XSS executes [1].

Impact

Successful exploitation allows an attacker to steal cookies and redirect users to arbitrary malicious websites. This can lead to session hijacking, credential theft, and further compromise of user accounts [1].

Mitigation

No official patch or fixed version has been released as of the publication date. Users should monitor the vendor's website for updates. As a workaround, implement input sanitization and a strict Content Security Policy (CSP) to mitigate script execution. The vulnerability is listed in the Exploit Database, but no fix is provided [1].

References
  1. OffSec’s Exploit Database Archive

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Stored cross-site scripting (XSS) due to insufficient sanitization of user-supplied input in the page editor."

Attack vector

An attacker with admin panel access navigates to Page → Homepage → Our Blog and clicks the edit page button [ref_id=1]. The attacker injects a JavaScript payload (e.g. `<script>alert(123)</script>`) into a vulnerable parameter on the Edit Page tab and saves the update [ref_id=1]. When any user views the live published page, the stored script executes in the browser, enabling cookie theft or redirection to a malicious site [ref_id=1].

Affected code

The vulnerable code resides in the Edit Page tab functionality of Coastercms v5.8.18 [ref_id=1]. The specific file paths and function names are not disclosed in the advisory.

What the fix does

No patch is included in the bundle. The advisory does not provide remediation guidance beyond the disclosure of the stored XSS vulnerability in Coastercms v5.8.18 [ref_id=1]. To fix this issue, the application should sanitize or encode user-supplied input before storing it and escape output when rendering page content.

Preconditions

  • authAttacker must have valid admin panel credentials to log in
  • inputAttacker must navigate to the Edit Page tab for the target page

Reproduction

1. Navigate to `http://localhost/admin/login` and log in with admin credentials. 2. After login, navigate to Page → Homepage → Our Blog and click on the edit page. 3. Add the payload `<script>alert(123)</script>` and click on the update button. 4. Click on "View live page" to navigate to `http://localhost/homepage/blog` — the XSS payload will execute [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.