CVE-2021-27673
Description
Cross Site Scripting (XSS) in the "admin_boxes.ajax.php" component of Tribal Systems Zenario CMS v8.8.52729 allows remote attackers to execute arbitrary code by injecting arbitrary HTML into the "cID" parameter when creating a new HTML component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
XSS in Zenario CMS admin_boxes.ajax.php allows remote authenticated attackers to execute arbitrary code via crafted cID parameter.
Vulnerability
A Cross-Site Scripting (XSS) vulnerability exists in the admin_boxes.ajax.php component of Tribal Systems Zenario CMS version 8.8.52729. An attacker can inject arbitrary HTML or JavaScript into the cID parameter when creating a new HTML component, leading to code execution in the context of the admin panel. [1]
Exploitation
To exploit this vulnerability, an attacker must have administrator-level access to the Zenario CMS. The attacker creates an HTML component and supplies a malicious payload in the cID parameter. When the component is rendered or processed, the injected script executes in the browser of an admin viewing the affected page. No user interaction beyond normal admin actions is required. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the admin panel. This can lead to session hijacking, data exfiltration, or further compromise of the CMS instance depending on admin privileges. [1]
Mitigation
The vulnerability is addressed in Zenario version 8.8.53370, which was released as a security update. [2] Users should upgrade to this version or later. If upgrading is not immediately possible, restrict admin panel access to trusted users only. No KEV listing has been reported. [3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tribalsystems/zenarioPackagist | < 8.8.53370 | 8.8.53370 |
Affected products
2- Tribal Systems/Zenario CMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-8hcm-jj4x-4gmrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-27673ghsaADVISORY
- packetstormsecurity.com/files/163083/Zenario-CMS-8.8.52729-SQL-Injection.htmlghsax_refsource_MISCWEB
- deadsh0t.medium.com/blind-error-based-authenticated-sql-injection-on-zenario-8-8-52729-cms-d4705534df38ghsax_refsource_MISCWEB
- github.com/TribalSystems/Zenario/releases/tag/8.8.53370ghsaWEB
News mentions
0No linked articles in our index yet.