CVE-2023-36211
Description
The Barebones CMS v2.0.2 is vulnerable to Stored Cross-Site Scripting (XSS) when an authenticated user interacts with certain features on the admin panel.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Barebones CMS v2.0.2 contains a stored XSS vulnerability in the story title field, allowing authenticated attackers to inject arbitrary JavaScript.
Vulnerability
Barebones CMS v2.0.2 is vulnerable to stored cross-site scripting (XSS) in the story title field. An authenticated user with admin panel access can inject arbitrary JavaScript via the title parameter when creating or editing a story. The payload is stored and executed when other users view the affected story [1].
Exploitation
An attacker must first log in to the admin panel. Then, navigate to the new story page and click the edit button. In the title field, the attacker inserts a payload such as ">. After saving the changes, the script executes immediately for the attacker and persists for any subsequent viewer of the story [1].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive data. Because the XSS is stored, the payload affects all users who access the compromised story [1].
Mitigation
No official patch or workaround is disclosed in the available references. Users should consider restricting admin panel access and monitoring for suspicious activity until a fix is released [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Barebones CMS/Barebones CMSdescription
- Range: =2.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output encoding of the story title field allows stored cross-site scripting."
Attack vector
An authenticated attacker with access to the admin panel navigates to the "new story" or "edit story" page [ref_id=1]. The attacker injects a JavaScript payload (e.g., `"><script>alert(1)</script>`) into the title field and saves the story [ref_id=1]. The payload is stored on the server and executed in the browsers of any admin user who subsequently views the affected story, because the application does not sanitize or encode the title before rendering it [ref_id=1].
Affected code
The exploit targets the story title field in the admin panel's "addeditasset" action, specifically the `title` parameter sent via POST to the admin interface [ref_id=1]. The exact file path is not disclosed in the advisory, but the vulnerable functionality resides in the story editing workflow of Barebones CMS v2.0.2 [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory does not provide remediation guidance beyond the general understanding that the application should properly encode or sanitize user-supplied input in the title field before storing or displaying it [ref_id=1]. Without a published fix, administrators should apply input validation and output encoding to all story fields, or restrict trusted users who can create and edit stories.
Preconditions
- authAttacker must be authenticated to the Barebones CMS admin panel.
- inputAttacker must have access to the story creation or editing feature.
Reproduction
1. Log in to the Barebones CMS admin panel. 2. Navigate to the story editor (e.g., `?action=addeditasset&type=story`). 3. Click the edit button and enter `"><script>alert(1)</script>` into the title field. 4. Save the story. 5. The script executes when the story is viewed [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.