WebBoss.io CMS Reflected XSS (Cross Site Scripting) 2022 [1]


Vendor WebBoss.io
Product WebBoss.io CMS
Affected Version(s) Before
Vulnerability Discovery June 29, 2022
Vendor Notification June 29, 2022
Advisory Publication July 20, 2023 [with technical details]
Vendor Fix N/A
Public Disclosure 20, July 2023
Latest Modification 22, July, 2023
CVE Identifier(s) CVE-2023-37742
Product Description WebBoss.io CMS is a comprehensive website building platform that helps you seamlessly integrate ecommerce and create responsive websites faster. WebBoss gets your site up and running faster than other platforms of its kind. Whether you need to create e-commerce sites, blogs, or brochure sites, WebBoss has your back.
Credits Steven Black, Security Analyst, Researcher & Penetration Tester @n0tst3

Vulnerability Details

Reflected Cross-Site Scripting (XSS) Vulnerability
Severity: Medium CVSS Score: 6.1 CWE-ID: CWE-79 Status: PENDING
Vulnerability Description
WebBoss.io CMS before v3.7.0.1 was discovered to contain a reflected XSS via "q" parameter in the "search.html" page, "cmd" parameter in the "index.php"/"index.html"
CVSS Base Score
Attack Vector Network Scope N/A
Attack Complexity Low Confidentiality Impact Low
Privileges Required None Integrity Impact Low
User Interaction Required Availability Impact None


WebBoss.io CMS before Contains a reflected Cross-Site Scripting (XSS) vulnerability due to the lack of input validation and output encoding.