CVE-2020-37237

Vulnerability

Composr CMS version 10.0.34 contains a persistent cross-site scripting (XSS) vulnerability in the banner management interface [3]. The Description field of the "Add banner" functionality does not properly sanitize user input, allowing authenticated administrators to inject arbitrary HTML and JavaScript [4]. The injected payload is stored and later rendered on the home page for all visitors. The vulnerability affects Composr CMS 10.0.34 and possibly earlier versions [3].

Exploitation

An attacker must have valid administrator credentials to access the banner management interface [4]. After logging in, the attacker navigates to the "Add banner" page, enters a malicious XSS payload (e.g., `) in the Description` field, and saves the banner [4]. No additional user interaction is required beyond the initial admin action. The payload is then executed automatically whenever any user visits the home page [3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any visitor's browser session when they access the home page [3]. This can lead to session hijacking, defacement, or theft of sensitive information. The attack is persistent and affects all users, not just the administrator [4].

Mitigation

The vendor has released version 10.0.52, which likely includes a fix [1]. Users should upgrade to the latest version (10.0.52 or later) available from the official download page [1]. If upgrading is not immediately possible, administrators should restrict access to the banner management interface to trusted users only. No workaround is provided in the references. The vulnerability is listed in the Exploit Database [4] but not in the CISA KEV as of the publication date.