Reflected Cross-site Scripting in BoidCMS Affects Website Security
CVE-2024-53255

5.4MEDIUM

Key Information:

Vendor: BoidCMS
Status: BoidCMS
Vendor: CVE Published:; 25 November 2024

What is CVE-2024-53255?

BoidCMS, a PHP-based flat file content management system, is susceptible to a reflected Cross-site Scripting (XSS) vulnerability through the /admin?page=media endpoint. An attacker can exploit this weakness by manipulating the file parameter to inject arbitrary JavaScript code. Such exploitation can allow the attacker to gain access to user session cookies, facilitate phishing attacks, or potentially alter website content. Users are urged to upgrade to version 2.1.2, as this issue has been rectified in the latest release, and there are no known workarounds available.

References

https://github.com/BoidCMS/BoidCMS/commit/42f4d703a87f519...

https://github.com/BoidCMS/BoidCMS/security/advisories/GH...

EPSS Score

28% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 25, 2024

CVE-2024-53255 Data

JSON