CVE-2021-28088

Vulnerability

CVE-2021-28088 describes a stored cross-site scripting (XSS) vulnerability in ImpressCMS profile 1.4.2. The flaw resides in the modules/content/admin/content.php file, where the "Display Name" field in user profile settings does not properly sanitize input. This allows an attacker to inject arbitrary web script or HTML, which is then stored and later executed when an administrator accesses the content management pages [1][2].

Exploitation

To exploit this vulnerability, an attacker must first create an account on the ImpressCMS instance and edit their profile, setting the "Display Name" to a malicious payload (e.g., '>). When an administrator subsequently visits "Administration Menu" > "Modules" > "Content" > "Contents" and clicks "Add a content", the injected script is executed in the context of the administrator's browser. No authentication is required beyond the attacker having a valid user account; however, the attack requires an administrator to access the content management interface [2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the administrator's browser. This can lead to session hijacking, defacement of the admin interface, or theft of sensitive information such as cookies and CSRF tokens. The stored XSS persists across sessions, making it a serious threat to the integrity of the administration panel [1][2].

Mitigation

As of the publication date, ImpressCMS 1.4.2 is affected, and no official patch or workaround has been mentioned in the advisories [1]. Administrators are advised to restrict access to the content management pages, validate and sanitize all user inputs, and monitor for any signs of exploitation. Upgrading to a newer version or applying input filtering may be necessary to mitigate the risk [2].