CVE-2020-37240

Vulnerability

Queue Management System 4.0.0 contains a stored cross-site scripting (XSS) vulnerability in the user creation functionality. Authenticated administrators can inject arbitrary JavaScript payloads into the First Name, Last Name, and Email fields when adding a new user. The payload is stored in the database and executed when the User List page is viewed. The vulnerability affects version 4.0.0 only, as per the vendor's software link [1][2].

Exploitation

An attacker must have valid administrator credentials to access the user creation form. The exploit steps are: log in as admin, navigate to Users > Add User, insert a payload such as "><svg/onload=alert(1)> into any of the three fields (First Name, Last Name, Email), and save the user. Subsequently, viewing the User List page triggers the stored script [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of any administrator who views the User List page. This can lead to session hijacking, defacement, or redirection to malicious sites. The impact is limited to the browser session of the viewing admin, but could be used to perform actions on behalf of that admin [2].

Mitigation

As of the publication date, no patched version has been released. The vendor has not provided an official fix. Administrators should restrict access to the admin panel, sanitize user input manually, or consider disabling the user creation feature if not required. The vulnerability is listed in the Exploit Database [1] and VulnCheck advisory [2].