CVE-2020-23376

Name of the Vulnerable Software and Affected Versions NoneCMS version 1.3

Description The issue concerns a CSRF vulnerability in the public/index.php/admin/nav/add.html endpoint, where an attacker can inject arbitrary web script or HTML via the name parameter to launch a stored XSS attack.

Recommendations For NoneCMS version 1.3, as a temporary workaround, consider restricting access to the public/index.php/admin/nav/add.html endpoint to minimize the risk of exploitation. Avoid using the name parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.