CVE-2013-20006
Published: 16 March 2026
Summary
CVE-2013-20006 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Zeroscience (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
Qool CMS is affected by CVE-2013-20006, a set of multiple persistent cross-site scripting (XSS) vulnerabilities (CWE-79) in various administrative scripts. These flaws arise because POST parameters such as 'title', 'name', 'email', 'username', 'link', and 'task' are not properly sanitized before being stored in the database and later returned to users. The vulnerable endpoints include addnewtype, addnewdatafield, addmenu, addusergroup, addnewuserfield, adduser, addgeneraldata, and addcontentitem. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact potential.
Remote attackers require no privileges (PR:N) to exploit these issues over the network with low complexity and no user interaction. By submitting malicious JavaScript payloads via the unsanitized POST parameters, attackers can store the code persistently. When administrators access affected pages, the injected scripts execute in their browser context, potentially enabling session hijacking, data theft, or further compromise of the administrative interface.
Advisories and related resources, including Zero Science Labs report ZSL-2013-5133 (http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5133.php), an Exploit-DB entry (https://www.exploit-db.com/exploits/24627), and Vulncheck summary (https://www.vulncheck.com/advisories/qool-cms-multiple-persistent-cross-site-scripting-vulnerabilities), document the vulnerabilities but do not specify vendor patches or detailed mitigation steps in the provided information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2013-7292
Vulnerability details
Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users. Attackers can inject malicious JavaScript code through parameters like 'title', 'name', 'email', 'username', 'link',…
more
and 'task' in endpoints such as addnewtype, addnewdatafield, addmenu, addusergroup, addnewuserfield, adduser, addgeneraldata, and addcontentitem to execute arbitrary scripts in administrator browsers.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in admin endpoints directly enables web app exploitation (T1190) and browser session hijacking via injected scripts (T1185).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of POST parameters like 'title' and 'name' to prevent injection of malicious JavaScript into the database.
Mandates filtering of information outputs from vulnerable endpoints to block execution of stored XSS payloads in administrator browsers.
Directly addresses remediation of the persistent XSS flaws in administrative scripts by identifying, reporting, and correcting the sanitization deficiencies.