CVE-2013-20006

| EUVD-2013-7292 HIGH
2026-03-15 VulnCheck
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
Analysis Generated
Mar 15, 2026 - 19:00 vuln.today
EUVD ID Assigned
Mar 15, 2026 - 19:00 euvd
EUVD-2013-7292
CVE Published
Mar 15, 2026 - 18:34 nvd
HIGH 7.5

Tags

XSS Qool Cms

Description

Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users. Attackers can inject malicious JavaScript code through parameters like 'title', 'name', 'email', 'username', 'link', and 'task' in endpoints such as addnewtype, addnewdatafield, addmenu, addusergroup, addnewuserfield, adduser, addgeneraldata, and addcontentitem to execute arbitrary scripts in administrator browsers.

Analysis

Persistent cross-site scripting (XSS) vulnerability affecting Qool CMS 2.0, allowing unauthenticated attackers to inject malicious JavaScript through multiple administrative POST parameters that execute in administrator browsers. A public proof-of-concept exploit is available on Exploit-DB, though no active exploitation is reported (not in KEV), and the CVSS score appears inflated given the actual attack requirements.

Technical Context

The vulnerability affects Qool CMS (CPE: cpe:2.3:a:qool:qool_cms:*:*:*:*:*:*:*:*), specifically version 2.0 according to ENISA EUVD data. As a CWE-79 (Cross-site Scripting) vulnerability, the root cause is improper neutralization of user input before it's stored in the database and later rendered in HTML contexts. The affected parameters ('title', 'name', 'email', 'username', 'link', 'task') across multiple administrative endpoints (addnewtype, addnewdatafield, addmenu, addusergroup, addnewuserfield, adduser, addgeneraldata, addcontentitem) indicate systematic input validation failures throughout the CMS's admin interface.

Affected Products

Qool CMS version 2.0 is confirmed affected per ENISA EUVD-2013-7292. The CPE string (cpe:2.3:a:qool:qool_cms:*:*:*:*:*:*:*:*) uses wildcards, suggesting all versions may be affected, though only version 2.0 is explicitly confirmed. Given the 2013 disclosure date and apparent abandonment of the product, all deployed versions should be considered vulnerable.

Remediation

No patches are available based on the provided references. The vendor advisory link (http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5133.php) provides vulnerability details but no patch information. Given the age of this vulnerability (2013) and lack of patch references, the product appears abandoned. Organizations should migrate away from Qool CMS to a maintained CMS solution. As an immediate mitigation, implement input validation and output encoding for all affected parameters, or use a Web Application Firewall (WAF) to filter malicious payloads targeting the vulnerable endpoints.

Priority Score

58
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +38
POC: +20

Share

CVE-2013-20006 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy