CVE-2021-47738

Name of the Vulnerable Software and Affected Versions CSZ CMS version 1.2.7

Description The software contains a persistent cross-site scripting issue that permits unauthorized users to inject malicious JavaScript into private messages. An attacker can send messages containing script payloads within the user-agent header. When an administrator views the message in the backend dashboard, the script will execute. The vulnerable component is the handling of the user-agent header when processing private messages.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize the user-agent header before processing private messages.