CVE-2021-37392

Name of the Vulnerable Software and Affected Versions RPCMS versions 1.8 and below

Description The issue arises from the improper sanitization of the nickname variable before it is displayed on a page. When API functions are enabled, an attacker can exploit this by updating a user's nickname with an XSS payload, achieving stored XSS. This stored XSS is triggered when users view articles published by the injected user.

Recommendations For RPCMS versions 1.8 and below, as a temporary workaround, consider disabling API functions that allow updating user nicknames until a patch is available. Restrict access to API endpoints related to user profile updates to minimize the risk of exploitation. Avoid using the nickname variable in API responses until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.