CVE-2021-47950

Vulnerability

CVE-2021-47950 describes a persistent cross-site scripting (XSS) vulnerability in Advanced Guestbook 2.4.4, specifically within the smilies administration interface. The root cause is the lack of proper input sanitization on the s_emotion parameter, allowing attackers to inject arbitrary JavaScript code that is stored and later executed in the browser of any user viewing the smilies tab [1][2].

Exploitation

To exploit this vulnerability, an attacker must first authenticate as an administrator. They then navigate to the "Smilies" tab, edit an existing emotion icon, and modify the emotion description (s_emotion) field to contain malicious JavaScript. Upon submitting the form and subsequently viewing the smilies list, the injected script executes in the context of the administrator's session [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript within the admin panel. This can lead to session hijacking, defacement of the guestbook, or further attacks against administrators. The vulnerability is rated Medium with a CVSS v3 score of 6.4, reflecting the need for authenticated access and user interaction [2].

Mitigation

No official patch has been released for Advanced Guestbook 2.4.4, as the application appears to be abandoned. Users are advised to migrate to an alternative script or implement web application firewall rules to block malicious input in the s_emotion parameter. Given the presence of a public exploit, this vulnerability should be prioritized for remediation [1][2].