CVE-2020-37111

Name of the Vulnerable Software and Affected Versions 60CycleCMS version 2.5.2

Description The software contains a cross-site scripting (XSS) issue in the news.php file. This allows attackers to inject malicious scripts through GET parameters. Attackers can create malicious URLs with XSS payloads targeting the etsu and ltsu parameters to execute arbitrary scripts in victim’s browsers. This does not involve SQL injection.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize all input received through the etsu and ltsu parameters in the 'news.php' file.