NotesCMS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in NotesCMS, specifically in the page '/index.php?route=sites'. This issue arises from the improper handling of service description titles, allowing injected JavaScript to be executed. The vulnerability was present in the source code as of commit '7d821a0f028b0778b245b99ab3d3bff1ac10e2d3' (dated May 8, 2024) and was resolved in commit '95322c5121dbd7070f3bd54f2848079654a0a8ea' (dated March 31, 2025). The vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript code in the context of the user, potentially leading to the theft of sensitive information such as cookies, session tokens, and account credentials. It could also be used to impersonate users, perform unauthorized actions, inject phishing pages, spread malware, or disrupt website functionality.

Reproduction

To reproduce this vulnerability, navigate to '/index.php?route=sites' and edit the service description title. Inject JavaScript code, such as an image tag with an 'onerror' event, and save the changes. The injected script will execute when the page is loaded.

Remediation

Users can update to the version of NotesCMS that includes the fix from commit '95322c5121dbd7070f3bd54f2848079654a0a8ea'.