Which versions of Qool Cms are affected by CVE-2013-20006?

Qool CMS installations are vulnerable to persistent cross-site scripting attacks that allow threat actors to compromise administrator accounts and control the content management system.

Is there a public PoC exploit available for CVE-2013-20006?

Yes, a public proof-of-concept exploit is available for CVE-2013-20006. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2013-20006?

Within 24 hours: Identify and inventory all Qool CMS instances in your environment and restrict administrative access to trusted networks only. Within 7 days: Deploy Web Application Firewall rules to block script injection in affected parameters (title, name, email, username, link, task) and implement input validation at the application layer. Within 30 days: Evaluate alternative CMS solutions or conduct a security assessment with the vendor regarding patch timelines; consider decommissioning Qool CMS if no patch becomes available within 60 days.

Qool Cms CVE-2013-20006

Q: What is the CVSS score of CVE-2013-20006?

CVE-2013-20006 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2013-7292 HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-03-15 VulnCheck

XSS Qool Cms

8.7

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 15, 2026 - 15:22 NVD

7.5 (HIGH) 8.7 (HIGH)

PoC Detected

Mar 16, 2026 - 14:53 vuln.today

Public exploit code

EUVD ID Assigned

Mar 15, 2026 - 19:00 euvd

EUVD-2013-7292

Analysis Generated

Mar 15, 2026 - 19:00 vuln.today

CVE Published

Mar 15, 2026 - 18:34 nvd

HIGH 7.5

DescriptionCVE.org

Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users. Attackers can inject malicious JavaScript code through parameters like 'title', 'name', 'email', 'username', 'link', and 'task' in endpoints such as addnewtype, addnewdatafield, addmenu, addusergroup, addnewuserfield, adduser, addgeneraldata, and addcontentitem to execute arbitrary scripts in administrator browsers.

AnalysisAI

Persistent cross-site scripting (XSS) vulnerability affecting Qool CMS 2.0, allowing unauthenticated attackers to inject malicious JavaScript through multiple administrative POST parameters that execute in administrator browsers. A public proof-of-concept exploit is available on Exploit-DB, though no active exploitation is reported (not in KEV), and the CVSS score appears inflated given the actual attack requirements.

Technical ContextAI

The vulnerability affects Qool CMS (CPE: cpe:2.3:a:qool:qool_cms:*:*:*:*:*:*:*:*), specifically version 2.0 according to ENISA EUVD data. As a CWE-79 (Cross-site Scripting) vulnerability, the root cause is improper neutralization of user input before it's stored in the database and later rendered in HTML contexts. The affected parameters ('title', 'name', 'email', 'username', 'link', 'task') across multiple administrative endpoints (addnewtype, addnewdatafield, addmenu, addusergroup, addnewuserfield, adduser, addgeneraldata, addcontentitem) indicate systematic input validation failures throughout the CMS's admin interface.

RemediationAI

No patches are available based on the provided references. The vendor advisory link (http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5133.php) provides vulnerability details but no patch information. Given the age of this vulnerability (2013) and lack of patch references, the product appears abandoned. Organizations should migrate away from Qool CMS to a maintained CMS solution. As an immediate mitigation, implement input validation and output encoding for all affected parameters, or use a Web Application Firewall (WAF) to filter malicious payloads targeting the vulnerable endpoints.

CVE-2013-20006 vulnerability details – vuln.today

Back