Description
Composr CMS 10.0.34 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the banner management interface. Attackers with admin credentials can inject XSS payloads in the Description field of the Add banner functionality, which execute for all website visitors when they access the home page.
Published: 2026-05-16
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A persistent cross‑site scripting flaw exists in Composr CMS 10.0.34 that permits authenticated administrators to inject malicious script payloads into the Description field when adding banners. The payload is stored and served to every site visitor on the home page, allowing attackers to steal cookies, deface the site, or redirect users to malicious sites. The weakness is a classic XSS flaw (CWE‑79) that compromises the confidentiality and integrity of all site visitors.

Affected Systems

Composr CMS version 10.0.28 to 10.0.34 are affected. Administrators of any site running these releases are vulnerable when using the banner management feature.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. Exploitation requires administrative authentication, limiting the attacker to compromised or weakly protected admin accounts. No exploit probability score is available, and the vulnerability is not listed in the CISA KEV catalog. While attackers can impact all users who view the homepage, the risk is constrained to sites where admins have not been secured or who use the banner feature.

Generated by OpenCVE AI on May 16, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Composr CMS release that removes the vulnerability (e.g., version 10.0.35 or later).
  • If an upgrade is not possible immediately, disable the banner management feature or restrict its usage to a minimal number of trusted administrators.
  • Implement input sanitization or output encoding on the banner description field if a temporary fix is needed.

Generated by OpenCVE AI on May 16, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description Composr CMS 10.0.34 contains a persistent cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the banner management interface. Attackers with admin credentials can inject XSS payloads in the Description field of the Add banner functionality, which execute for all website visitors when they access the home page.
Title Composr CMS 10.0.34 Persistent Cross-Site Scripting via banners
First Time appeared Compo
Compo composr Cms
Weaknesses CWE-79
CPEs cpe:2.3:a:compo:composr_cms:10.0.28:*:*:*:*:*:*:*
cpe:2.3:a:compo:composr_cms:10.0.29:*:*:*:*:*:*:*
cpe:2.3:a:compo:composr_cms:10.0.30:*:*:*:*:*:*:*
cpe:2.3:a:compo:composr_cms:10.0.31:*:*:*:*:*:*:*
cpe:2.3:a:compo:composr_cms:10.0.32:*:*:*:*:*:*:*
cpe:2.3:a:compo:composr_cms:10.0.33:*:*:*:*:*:*:*
cpe:2.3:a:compo:composr_cms:10.0.34:*:*:*:*:*:*:*
Vendors & Products Compo
Compo composr Cms
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Compo Composr Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:25:53.839Z

Reserved: 2026-05-15T14:23:29.915Z

Link: CVE-2020-37237

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:19.827

Modified: 2026-05-16T16:16:19.827

Link: CVE-2020-37237

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T16:30:27Z

Weaknesses