CVE-2020-36931
Description
Click2Magic 1.1.5 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts in the chat name input. Attackers can craft a malicious payload in the chat name to capture administrator cookies when the admin processes user requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Click2Magic 1.1.5 stored XSS in chat name allows attackers to capture admin cookies, leading to potential session hijacking.
Vulnerability
Overview Click2Magic 1.1.5 contains a stored cross-site scripting (XSS) vulnerability in the chat name input field [3]. The application fails to properly sanitize user input, allowing attackers to inject arbitrary JavaScript.
Exploitation
Details An unauthenticated attacker (or low-privileged user) can initiate a new chat and enter a malicious payload as their name [4]. When an administrator processes user requests or views the chat history, the injected script executes in the admin's browser context.
Impact
Successful exploitation enables the attacker to capture administrator cookies, potentially leading to session hijacking and unauthorized access to sensitive data managed by the admin [3][4].
Mitigation
The vulnerability affects Click2Magic version 1.1.5 and possibly earlier versions. As of the last known disclosure, no official patch has been released. Users are advised to restrict access to the admin interface and monitor for suspicious activity.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 1.1.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.