CVE-2021-47981
Description
Quick.CMS 6.7 contains a cross-site scripting vulnerability in the sliders form that allows authenticated attackers to inject malicious scripts by submitting XSS payloads through the sDescription parameter. Attackers can craft CSRF forms targeting the admin.php?p=sliders-form endpoint to execute arbitrary JavaScript in victim browsers when the form is submitted.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Quick.CMS 6.7 is vulnerable to cross-site scripting via the sDescription parameter in the sliders form, exploitable through CSRF.
Vulnerability
Quick.CMS 6.7 contains a stored cross-site scripting (XSS) vulnerability in the sliders form. An authenticated attacker can inject arbitrary JavaScript via the sDescription parameter when creating or editing a slider. The vulnerability exists in versions up to and including 6.7 [1].
Exploitation
An attacker must first have valid admin credentials. They then craft a CSRF form targeting admin.php?p=sliders-form with a hidden input for sDescription containing an XSS payload such as ``. When an authenticated admin submits the form (e.g., via social engineering), the payload executes in the admin's browser [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the admin panel. This can lead to session hijacking, theft of cookies, or performing administrative actions on behalf of the victim [3].
Mitigation
The vulnerability is fixed in Quick.CMS version 6.8, released on 2025-04-24 [1]. Users should upgrade to version 6.8 or later. No workaround is available for versions 6.7 and earlier.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =6.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.