AlexanderLivanov FotosCMS2 Cookie profile.php cross site scripting
Description
A vulnerability classified as problematic was found in AlexanderLivanov FotosCMS2 up to 2.4.3. This vulnerability affects unknown code of the file profile.php of the component Cookie Handler. The manipulation of the argument username leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-243802 is the identifier assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerability in FotosCMS2 up to 2.4.3 via the username cookie parameter in profile.php allows remote attackers to inject arbitrary scripts.
Vulnerability
In FotosCMS2 versions up to 2.4.3, the profile.php file echoes the session username ($_SESSION['username']) without sanitization. This session variable is set from the username cookie cookie in cfg.php via $_COOKIE['username cookie']. An attacker can control this cookie value, leading to a stored/reflected cross-site scripting (XSS) vulnerability. The affected code path is reachable whenever a user accesses profile.php with a crafted cookie. [1]
Exploitation
An attacker can set a malicious username cookie containing JavaScript payload (e.g., `). By enticing a victim to visit profile.php` with that cookie set (e.g., via a crafted link or social engineering), the payload executes in the victim's browser. No authentication is required for the attacker to craft the cookie, but the victim must have the cookie present when accessing the page. [1]
Impact
Successful exploitation allows arbitrary JavaScript execution in the victim's browser within the context of the FotosCMS2 site. This can lead to session hijacking, defacement, credential theft, or redirection to malicious sites. The attacker gains the victim's session privileges and can perform actions on behalf of the victim. [1]
Mitigation
The FotosCMS2 repository was archived by the owner on March 15, 2024, and is now read-only. No official patch has been released. Users should consider migrating to an alternative CMS or manually sanitizing the username cookie input before outputting it in profile.php. As of the publication date, this vulnerability is not listed in the Known Exploited Vulnerabilities (KEV) catalog. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=2.4.3+ 1 more
- (no CPE)range: <=2.4.3
- (no CPE)range: 2.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/AlexanderLivanov/FotosCMS2/issues/18mitreexploitissue-tracking
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.