CVE-2023-44771

Vulnerability

Details

A stored cross-site scripting (XSS) vulnerability exists in Zenario CMS version 9.4.59197. The root cause is insufficient sanitization of user-supplied input in the Page Layout editing functionality. An attacker can embed a malicious script, such as ``, into a page layout. This payload is then executed in the browser of any administrator who visits the affected page, because the application fails to neutralize the HTML/JavaScript code before rendering it [1][3].

Exploitation

The attack requires an authenticated user with administrative privileges to access the Page Layout editor via the administration menu. The attacker crafts a payload and inserts it into the layout. No special network position is needed beyond access to the admin panel. The stored script persists in the layout and executes automatically when other administrators load the page [3].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the Zenario admin interface. This can lead to session hijacking, defacement, theft of sensitive administrative data, or further lateral movement within the CMS. The vulnerability does not directly compromise the server, but it undermines the security of the administrative session [1][3].

Mitigation

As of the publication date (October 2023), no patch has been officially released. The vendor's repository indicates the software is open source under a BSD license, and users are advised to apply input validation and output encoding to the Page Layout field manually. Organizations using this version should restrict administrative access to trusted users and monitor for any suspicious activity in the Page Layout settings [2][3].