Cyber Resilience

CVE-2020-37072

MediumPublic PoC

Published: 03 February 2026

Published
03 February 2026
Modified
10 February 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0005 15.8th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-37072 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Victor Cms Project Victor Cms. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2020-37072 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Victor CMS version 1.0. The issue exists in the 'comment_author' POST parameter of the comment submission form, where attackers can inject malicious JavaScript payloads. These payloads are stored on the server and executed when victims view pages containing the tainted comments. The vulnerability received a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. By submitting crafted JavaScript through the comment form, they can achieve execution of arbitrary code in the browsers of victims who access affected pages, potentially compromising confidentiality and integrity through actions like session theft or data exfiltration.

Advisories and related resources, including the Vulncheck advisory at https://www.vulncheck.com/advisories/victor-cms-commentauthor-persistent-cross-site-scripting, an Exploit-DB entry at https://www.exploit-db.com/exploits/48484, and the project repository at https://github.com/VictorAlagwu/CMSsite, provide further details on the issue, including proof-of-concept exploits. Practitioners should consult these for mitigation guidance, such as input sanitization or upgrades if available.

EU & UK References

Vulnerability details

Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment_author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

Stored XSS in public-facing CMS directly enables remote exploitation of the web app (T1190) and arbitrary JavaScript execution in victim browsers (T1059.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2020-36942Same product: Victor Cms Project Victor Cms
CVE-2020-37076Same product: Victor Cms Project Victor Cms
CVE-2020-37073Same product: Victor Cms Project Victor Cms
CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79

Affected Assets

victor cms project
victor cms
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of untrusted inputs such as the 'comment_author' POST parameter to block malicious JavaScript payloads before storage.

prevent

Requires filtering of information outputs to remove or neutralize embedded scripts in stored comments before they are rendered to victim browsers.

preventdetect

Provides mechanisms to detect and block malicious code (including injected scripts) at input, storage, or rendering points within the CMS.

References