CVE-2020-36954

Vulnerability

Xeroneit Library Management System version 3.1 contains a stored cross-site scripting (XSS) vulnerability in the Book Category feature [1][2]. The root cause is improper neutralization of user input when processing the Category Name field; the application fails to sanitize or escape the input before storing it and later rendering it on the page [2].

Exploitation

An attacker must be logged in as an administrator to access the Book Category menu [3]. From there, the attacker can add a new category and inject a payload such as "><img src onerror=alert(1)> into the Category Name field [3]. The payload is stored and executed in the browser of any user who subsequently views the category page, requiring no further interaction from the victim beyond normal page load [2][3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the affected application [2]. This can lead to session hijacking, defacement, or redirection to malicious sites, depending on the attacker's script. The attack is persistent and may affect multiple users until the malicious category entry is removed.

Mitigation

The vendor has not released a patched version for this vulnerability as of the publication date [2]. Users are advised to limit administrative access to trusted personnel, review all category input manually, or consider using a web application firewall (WAF) to block common XSS payloads. Third-party advisories confirm the issue affects version 3.1 and possibly earlier releases [2][3].