Cyber Resilience

CVE-2013-20006

HighPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 27.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2013-20006 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Zeroscience (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

Qool CMS is affected by CVE-2013-20006, a set of multiple persistent cross-site scripting (XSS) vulnerabilities (CWE-79) in various administrative scripts. These flaws arise because POST parameters such as 'title', 'name', 'email', 'username', 'link', and 'task' are not properly sanitized before being stored in the database and later returned to users. The vulnerable endpoints include addnewtype, addnewdatafield, addmenu, addusergroup, addnewuserfield, adduser, addgeneraldata, and addcontentitem. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact potential.

Remote attackers require no privileges (PR:N) to exploit these issues over the network with low complexity and no user interaction. By submitting malicious JavaScript payloads via the unsanitized POST parameters, attackers can store the code persistently. When administrators access affected pages, the injected scripts execute in their browser context, potentially enabling session hijacking, data theft, or further compromise of the administrative interface.

Advisories and related resources, including Zero Science Labs report ZSL-2013-5133 (http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5133.php), an Exploit-DB entry (https://www.exploit-db.com/exploits/24627), and Vulncheck summary (https://www.vulncheck.com/advisories/qool-cms-multiple-persistent-cross-site-scripting-vulnerabilities), document the vulnerabilities but do not specify vendor patches or detailed mitigation steps in the provided information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users. Attackers can inject malicious JavaScript code through parameters like 'title', 'name', 'email', 'username', 'link',…

more

and 'task' in endpoints such as addnewtype, addnewdatafield, addmenu, addusergroup, addnewuserfield, adduser, addgeneraldata, and addcontentitem to execute arbitrary scripts in administrator browsers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Stored XSS in admin endpoints directly enables web app exploitation (T1190) and browser session hijacking via injected scripts (T1185).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22320Shared CWE-79
CVE-2015-20118Shared CWE-79
CVE-2025-23846Shared CWE-79
CVE-2026-2936Shared CWE-79
CVE-2025-24620Shared CWE-79
CVE-2026-30862Shared CWE-79
CVE-2025-15055Shared CWE-79
CVE-2025-67932Shared CWE-79
CVE-2025-28928Shared CWE-79
CVE-2025-13504Shared CWE-79

Affected Assets

Zeroscience
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of POST parameters like 'title' and 'name' to prevent injection of malicious JavaScript into the database.

prevent

Mandates filtering of information outputs from vulnerable endpoints to block execution of stored XSS payloads in administrator browsers.

prevent

Directly addresses remediation of the persistent XSS flaws in administrative scripts by identifying, reporting, and correcting the sanitization deficiencies.

References