CVE-2021-36454

Name of the Vulnerable Software and Affected Versions Naviwebs Navigate Cms version 2.9

Description The issue is related to a Cross Site Scripting (XSS) vulnerability. It affects various PHP files within the Naviwebs Navigate Cms, including backupsbackups.php, blocksblocks.php, brandsbrands.php, commentscomments.php, couponscoupons.php, feedsfeeds.php, functionsfunctions.php, itemsitems.php, menusmenus.php, ordersorders.php, payment methodspayment methods.php, productsproducts.php, profilesprofiles.php, shipping methodsshipping methods.php, templatestemplates.php, usersusers.php, webdictionarywebdictionary.php, websiteswebsites.php, and webuserswebusers.php. The vulnerability is exploited via the navigate-quickse parameter. The initial url function, which is built into these files, is involved in the vulnerability.

Recommendations For Naviwebs Navigate Cms version 2.9, consider disabling the initial url function as a temporary workaround until a patch is available. Restrict access to the affected PHP files to minimize the risk of exploitation. Avoid using the navigate-quickse parameter in the affected API endpoints until the issue is resolved.