Miggo Logo
Miggo Vulnerability Database
CVE-2020-36608

CVE-2020-36608: Tribal Systems Zenario CMS vulnerable to Cross-site Scripting

6.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-36608
GHSA ID
GHSA-f92p-f8r2-c87q
EPSS Score
0.19879%
CWE
CWE-79
Published
11/3/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
tribalsystems/zenariocomposer< 8.5.513408.5.51340

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub patch shows critical changes in admin_organizer.js where title attributes were being built with item.name. The original code used htmlspecialchars(item.name) once, but XSS was still possible due to context-aware escaping requirements. The vulnerability stems from insufficient output encoding when handling user-supplied referer URLs in error logs, which were then reflected in admin-facing title attributes without proper sanitization. The fix applies double escaping (htmlspecialchars(htmlspecialchars(...))) to prevent this injection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility **s ***n *oun* in Tri**l Syst*ms Z*n*rio *MS prior to v*rsion *.*.*****. *****t** *y t*is issu* is som* unknown *un*tion*lity o* t** *il* `**min_or**niz*r.js` o* t** *ompon*nt `*rror Lo* Mo*ul*`. T** m*nipul*tion l***s to *ross sit* s

Reasoning

T** *it*u* p*t** s*ows *riti**l ***n**s in `**min_or**niz*r.js` w**r* titl* *ttri*ut*s w*r* **in* *uilt wit* `it*m.n*m*`. T** ori*in*l *o** us** `*tmlsp**i*l***rs(it*m.n*m*)` on**, *ut XSS w*s still possi*l* *u* to *ont*xt-*w*r* *s**pin* r*quir*m*nts