CVE-2020-37072
Published: 03 February 2026
Summary
CVE-2020-37072 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Victor Cms Project Victor Cms. Its CVSS base score is 7.2 (High).
Operationally, ranked at the 11.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
NVD Description
Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the 'comment_author' POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers.
Deeper analysisAI
CVE-2020-37072 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting Victor CMS version 1.0. The issue exists in the 'comment_author' POST parameter of the comment submission form, where attackers can inject malicious JavaScript payloads. These payloads are stored on the server and executed when victims view pages containing the tainted comments. The vulnerability received a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges or user interaction required. By submitting crafted JavaScript through the comment form, they can achieve execution of arbitrary code in the browsers of victims who access affected pages, potentially compromising confidentiality and integrity through actions like session theft or data exfiltration.
Advisories and related resources, including the Vulncheck advisory at https://www.vulncheck.com/advisories/victor-cms-commentauthor-persistent-cross-site-scripting, an Exploit-DB entry at https://www.exploit-db.com/exploits/48484, and the project repository at https://github.com/VictorAlagwu/CMSsite, provide further details on the issue, including proof-of-concept exploits. Practitioners should consult these for mitigation guidance, such as input sanitization or upgrades if available.
Details
- CWE(s)