NotesCMS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in NotesCMS, specifically in the page '/index.php?route=categories'. This issue arises from the ability to manipulate the titles of service descriptions, allowing for the injection of arbitrary JavaScript that is executed when the category is viewed. The vulnerability was present in the source code as of commit '7d821a0f028b0778b245b99ab3d3bff1ac10e2d3' (dated May 8, 2024) and has been fixed in commit '95322c5121dbd7070f3bd54f2848079654a0a8ea' (dated March 31, 2025). The vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript in the context of the user viewing the affected category, potentially leading to the theft of sensitive information such as cookies, session tokens, and account credentials. Additionally, it could be used to impersonate users and perform unauthorized actions, inject phishing pages, spread malware, or disrupt website functionality.

Reproduction

To reproduce this vulnerability, navigate to '/index.php?route=categories' and edit the content of a category by injecting JavaScript into the title. Once the content is saved, the injected script will execute, demonstrating the cross-site scripting vulnerability. This can also be verified by visiting the category address, where the same JavaScript injection will be executed.

Remediation

Users can update to the version of NotesCMS that includes the fix from commit '95322c5121dbd7070f3bd54f2848079654a0a8ea'.