CVE-2021-47855
Description
OpenLiteSpeed 1.7.9 has a stored XSS vulnerability in the dashboard Notes field, allowing admin users to inject scripts that execute when another admin clicks the Default Icon.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenLiteSpeed 1.7.9 has a stored XSS vulnerability in the dashboard Notes field, allowing admin users to inject scripts that execute when another admin clicks the Default Icon.
Overview
OpenLiteSpeed 1.7.9 is affected by a stored cross-site scripting (XSS) vulnerability in the web administration dashboard. The flaw resides in the 'Notes' parameter used during listener configuration. User-supplied input is not properly sanitized before being stored and later rendered in the admin interface, leading to the injection and execution of arbitrary script code [2][3]. The root cause is a lack of output encoding for the Notes field within the listener editing pages.
Exploitation
Exploitation requires an authenticated administrator account. An attacker with admin privileges can navigate to Listeners > Summary > select View Actions > Edit for a specific listener, then inject malicious JavaScript into the 'Notes' field [2]. After performing a Graceful Restart of the server, the payload is stored. The XSS triggers when an administrator visits the listener configuration page and clicks on the Default Icon element, which renders the unsanitized Notes content [2]. No additional user interaction beyond a single click on that icon is needed.
Impact
Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the admin dashboard. This could lead to session hijacking, administrative actions performed on behalf of the victim, or further compromise of the web server through the admin interface. The CVSS v3 score of 7.2 reflects a high severity due to the need for prior authentication but the potential for significant impact [3].
Mitigation
As of the available references, no patch or updated version is explicitly mentioned. Affected users should consider upgrading to a newer version of OpenLiteSpeed if available, or applying strict input validation and output encoding for the Notes field. Restricting administrative dashboard access to trusted users reduces the attack surface.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 1.7.9
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper neutralization of user-controllable input in the Notes parameter allows stored cross-site scripting."
Attack vector
An attacker who has administrative access to the OpenLiteSpeed dashboard can inject a JavaScript payload into the "Notes" field during listener configuration [ref_id=1]. The payload is submitted via a POST request to `/view/confMgr.php` with the `note` parameter containing encoded script tags (e.g., `%3Cscript%3Ealert('XSS')%3C%2Fscript%3E`) [ref_id=1]. After a graceful restart, the stored payload executes when any administrator clicks the Default Icon in the Listeners summary view, leading to stored cross-site scripting [CWE-79] [ref_id=1].
Affected code
The vulnerability resides in the dashboard's listener configuration page, specifically the "Notes" parameter processed by `/view/confMgr.php`. The `note` field in the POST request is stored without sanitization and later rendered when an administrator clicks the Default Icon in the Listeners summary view [ref_id=1].
What the fix does
The advisory does not include a patch or vendor fix details [ref_id=1]. To remediate this vulnerability, the application should properly neutralize or encode user-controllable input before storing and later rendering the "Notes" field in the web interface, preventing script execution in the browser [CWE-79].
Preconditions
- authAttacker must have administrative access to the OpenLiteSpeed web dashboard
- networkThe dashboard must be accessible over the network (default port 7080)
- inputAttacker must submit a crafted POST request to /view/confMgr.php with a malicious note parameter
Reproduction
Step 1: Log in to the dashboard using the Administrator account. Step 2: Go to Listeners > Summary > Actions (View) > Edit. Step 3: Inject XSS payload into the "Notes" parameter. Step 4: Perform a Graceful Restart. Step 5: Trigger XSS when an administrator clicks on the Default Icon [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.