WebBoss.io CMS Reflected XSS (Cross Site Scripting) 2022 [1]
CVE-2023-37742
| Vendor |
|
| Product | WebBoss.io CMS |
| Affected Version(s) | Before 3.7.0.1 |
| Vulnerability Discovery | June 29, 2022 |
| Vendor Notification | June 29, 2022 |
| Advisory Publication | July 20, 2023 [with technical details] |
| Vendor Fix | N/A |
| Public Disclosure | 20, July 2023 |
| Latest Modification | 22, July, 2023 |
| CVE Identifier(s) | CVE-2023-37742 |
| Product Description | WebBoss.io CMS is a comprehensive website building platform that helps you seamlessly integrate ecommerce and create responsive websites faster. WebBoss gets your site up and running faster than other platforms of its kind. Whether you need to create e-commerce sites, blogs, or brochure sites, WebBoss has your back. |
| Credits | Steven Black, Security Analyst, Researcher & Penetration Tester @n0tst3 |
Vulnerability Details
| Reflected Cross-Site Scripting (XSS) Vulnerability | |||
| Severity: Medium | CVSS Score: 6.1 | CWE-ID: CWE-79 | Status: PENDING |
| Vulnerability Description | |||
| WebBoss.io CMS before v3.7.0.1 was discovered to contain a reflected XSS via "q" parameter in the "search.html" page, "cmd" parameter in the "index.php"/"index.html" | |||
| CVSS Base Score | |||
| Attack Vector | Network | Scope | N/A |
| Attack Complexity | Low | Confidentiality Impact | Low |
| Privileges Required | None | Integrity Impact | Low |
| User Interaction | Required | Availability Impact | None |
Description
WebBoss.io CMS before 3.7.0.1 Contains a reflected Cross-Site Scripting (XSS) vulnerability due to the lack of input validation and output encoding.