CVE-2024-53255

Name of the Vulnerable Software and Affected Versions BoidCMS versions prior to 2.1.2

Description A reflected Cross-site Scripting (XSS) issue exists in the "admin?page=media" endpoint, specifically in the file parameter, allowing an attacker to inject arbitrary JavaScript code. This could lead to stealing the user's session cookie, performing phishing attacks, or defacing the website.

Recommendations For versions prior to 2.1.2, upgrade to version 2.1.2 to resolve the issue. As a temporary workaround, consider restricting access to the "/admin?page=media" endpoint to minimize the risk of exploitation. Avoid using the file parameter in the affected endpoint until the issue is resolved.