CVE-2020-37237 | THREATINT

Description

Composr CMS 10.0.34 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the banner management interface. Attackers with admin credentials can inject XSS payloads in the Description field of the Add banner functionality, which execute for all website visitors when they access the home page.

PUBLISHED Reserved 2026-05-15 | Published 2026-05-16 | Updated 2026-05-18 | Assigner VulnCheck

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

MEDIUM: 6.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

10.0.34

affected

Credits

Parshwa Bhavsar finder

References

www.exploit-db.com/exploits/49190 (ExploitDB-49190) exploit

compo.sr/ (Official Product Homepage) product

compo.sr/download.htm (Product Reference) product

www.vulncheck.com/...istent-cross-site-scripting-via-banners (VulnCheck Advisory: Composr CMS 10.0.34 Persistent Cross-Site Scripting via banners) third-party-advisory

cve.org (CVE-2020-37237)

nvd.nist.gov (CVE-2020-37237)

Download JSON