CVE-2022-24563

Vulnerability

In Genixcms v1.1.11, a stored Cross-Site Scripting (XSS) vulnerability exists in /gxadmin/index.php?page=themes&view=options via the intro_title and intro_image parameters [1]. The application fails to properly sanitize user-supplied input, allowing an authenticated attacker to inject arbitrary HTML or JavaScript code that is stored and later executed in the context of the admin interface [1].

Exploitation

An attacker must have at least low-privileged (e.g., editor-level) access to the GeniXCMS admin panel, as the vulnerable endpoint is restricted to admin users [1]. The attacker navigates to the themes options page and submits a crafted payload (e.g., `) in either the intro_title or intro_image` fields [1]. No additional user interaction is required after submission; the payload is stored in the database and rendered unsafely on subsequent page loads [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any admin who views the affected theme options page [1]. This can lead to session hijacking, admin credential theft, defacement, or forced actions performed on behalf of the victim admin within the same session [1]. The impact is limited to the admin panel context, but a compromise of admin privileges can cascade to full site control.

Mitigation

The official fix was released in GeniXCMS v2.4.0, which addresses the XSS vulnerability through input sanitization [2]. Users of v1.1.11 should upgrade to the latest stable version immediately [2]. No workaround is publicly documented for unpatched installations [1][2].