Cross-Site Scripting Vulnerability in Lepton-CMS by Lepton
CVE-2020-29240

4.8MEDIUM

Key Information:

Vendor: Lepton-cms
Status: Leptoncms
Vendor: CVE Published:; 2 December 2020

What is CVE-2020-29240?

Lepton-CMS version 4.7.0 has a significant cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts via the URL field on the admin page. This issue becomes exploitable when an administrative user accesses specific sections, such as the Menu-Pages-Pages Overview. When the affected page is loaded, the injected script executes within the context of the admin's session, potentially allowing unauthorized actions or data exposure. Website administrators should apply recommended security patches and regularly audit their systems to mitigate the risk of exploitation.

References

https://www.exploit-db.com/exploits/49137

x_refsource_MISC

https://lepton-cms.org/english/home.php

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Dec 2, 2020
Vulnerability Reserved
Nov 27, 2020

Lepton-cms

What is CVE-2020-29240?

References

CVSS V3.1

Timeline