CVE-2020-37072
Published: 03 February 2026
Summary
CVE-2020-37072 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Victor Cms Project Victor Cms. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2020-37072 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Victor CMS version 1.0. The issue exists in the 'comment_author' POST parameter of the comment submission form, where attackers can inject malicious JavaScript payloads. These payloads are stored on the server and executed when victims view pages containing the tainted comments. The vulnerability received a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. By submitting crafted JavaScript through the comment form, they can achieve execution of arbitrary code in the browsers of victims who access affected pages, potentially compromising confidentiality and integrity through actions like session theft or data exfiltration.
Advisories and related resources, including the Vulncheck advisory at https://www.vulncheck.com/advisories/victor-cms-commentauthor-persistent-cross-site-scripting, an Exploit-DB entry at https://www.exploit-db.com/exploits/48484, and the project repository at https://github.com/VictorAlagwu/CMSsite, provide further details on the issue, including proof-of-concept exploits. Practitioners should consult these for mitigation guidance, such as input sanitization or upgrades if available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2020-31012
Vulnerability details
Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment_author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing CMS directly enables remote exploitation of the web app (T1190) and arbitrary JavaScript execution in victim browsers (T1059.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted inputs such as the 'comment_author' POST parameter to block malicious JavaScript payloads before storage.
Requires filtering of information outputs to remove or neutralize embedded scripts in stored comments before they are rendered to victim browsers.
Provides mechanisms to detect and block malicious code (including injected scripts) at input, storage, or rendering points within the CMS.