CVE-2021-42656

Vulnerability

The vulnerability is a stored cross-site scripting (XSS) in SiteServer CMS version 6.15.51. It resides in the /SiteServer/cms/modalRelatedFieldItemEdit.aspx page. An authenticated attacker can inject arbitrary JavaScript via the TbItemName POST parameter. The input is not sanitized before being stored and later rendered, leading to persistent XSS. [3]

Exploitation

An attacker must be authenticated to the SiteServer CMS backend. The exploit involves sending a POST request to the vulnerable page with a crafted TbItemName parameter containing a payload such as ``. The request includes necessary viewstate and session cookies. The payload is stored and executed when any administrator views the affected related field item. [3]

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive data. The attack is stored, meaning it persists and affects all users who access the compromised page. [3]

Mitigation

As of the available references, no official patch has been released for CVE-2021-42656. The vendor's GitHub repository [2] does not indicate a fix. Users should restrict access to the admin panel and apply input validation manually. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. [2][3]