CVE-2021-37393

Name of the Vulnerable Software and Affected Versions RPCMS versions 1.8 and below

Description The issue arises from the nickname variable not being properly sanitized before being displayed on a page. An attacker can exploit this by using the update password function to inject XSS payloads into the nickname variable, achieving stored XSS. When users view articles published by the injected user, the XSS is triggered.

Recommendations For RPCMS versions 1.8 and below, as a temporary workaround, consider restricting the use of the nickname variable until a patch is available. Additionally, limiting user input in the update password function can help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.