{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2013-20006", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-15T18:03:18.972Z", "datePublished": "2026-03-15T18:34:10.910Z", "dateUpdated": "2026-03-16T14:20:18.616Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-15T18:34:10.910Z"}, "datePublic": "2013-03-07T00:00:00.000Z", "title": "Qool CMS Multiple Persistent Cross-Site Scripting Vulnerabilities", "descriptions": [{"lang": "en", "value": "Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users. Attackers can inject malicious JavaScript code through parameters like 'title', 'name', 'email', 'username', 'link', and 'task' in endpoints such as addnewtype, addnewdatafield, addmenu, addusergroup, addnewuserfield, adduser, addgeneraldata, and addcontentitem to execute arbitrary scripts in administrator browsers."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "affected": [{"vendor": "Qool", "product": "Qool CMS", "versions": [{"version": "2.0", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/24627", "name": "ExploitDB-24627", "tags": ["exploit"]}, {"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5133.php", "name": "Vulnerability Advisory", "tags": ["vendor-advisory"]}, {"name": "VulnCheck Advisory: Qool CMS Multiple Persistent Cross-Site Scripting Vulnerabilities", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/qool-cms-multiple-persistent-cross-site-scripting-vulnerabilities"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2013-20006", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T14:12:15.496408Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:20:18.616Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2013-20006", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T14:12:15.496408Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T14:17:23.703Z"}}], "cna": {"title": "Qool CMS Multiple Persistent Cross-Site Scripting Vulnerabilities", "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Qool", "product": "Qool CMS", "versions": [{"status": "affected", "version": "2.0"}]}], "datePublic": "2013-03-07T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/24627", "name": "ExploitDB-24627", "tags": ["exploit"]}, {"url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5133.php", "name": "Vulnerability Advisory", "tags": ["vendor-advisory"]}, {"url": "https://www.vulncheck.com/advisories/qool-cms-multiple-persistent-cross-site-scripting-vulnerabilities", "name": "VulnCheck Advisory: Qool CMS Multiple Persistent Cross-Site Scripting Vulnerabilities", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users. Attackers can inject malicious JavaScript code through parameters like 'title', 'name', 'email', 'username', 'link', and 'task' in endpoints such as addnewtype, addnewdatafield, addmenu, addusergroup, addnewuserfield, adduser, addgeneraldata, and addcontentitem to execute arbitrary scripts in administrator browsers."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-15T18:34:10.910Z"}}}, "cveMetadata": {"cveId": "CVE-2013-20006", "state": "PUBLISHED", "dateUpdated": "2026-03-16T14:20:18.616Z", "dateReserved": "2026-03-15T18:03:18.972Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-15T18:34:10.910Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users. Attackers can inject malicious JavaScript code through parameters like 'title', 'name', 'email', 'username', 'link', and 'task' in endpoints such as addnewtype, addnewdatafield, addmenu, addusergroup, addnewuserfield, adduser, addgeneraldata, and addcontentitem to execute arbitrary scripts in administrator browsers."}, {"lang": "es", "value": "Qool CMS contiene m\u00faltiples vulnerabilidades persistentes de cross-site scripting en varios scripts administrativos donde los par\u00e1metros POST no se sanean correctamente antes de ser almacenados y devueltos a los usuarios. Los atacantes pueden inyectar c\u00f3digo JavaScript malicioso a trav\u00e9s de par\u00e1metros como 'title', 'name', 'email', 'username', 'link' y 'task' en puntos finales como addnewtype, addnewdatafield, addmenu, addusergroup, addnewuserfield, adduser, addgeneraldata y addcontentitem para ejecutar scripts arbitrarios en los navegadores de los administradores."}], "id": "CVE-2013-20006", "lastModified": "2026-04-15T14:56:45.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-16T14:17:46.170", "references": [{"source": "disclosure@vulncheck.com", "url": "http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5133.php"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/24627"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/qool-cms-multiple-persistent-cross-site-scripting-vulnerabilities"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "2.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Qool CMS", "source": "cna", "vendor": "Qool"}, "product": "qool_cms", "vendor": "qool"}], "analysis": {"en": {"generated_at": "2026-03-21T14:36:54.649189+00:00", "value": {"mitigation_remediation": ["Apply the latest Qool CMS patch that addresses the stored XSS flaws", "If a patch is not yet available, immediately implement input validation and output encoding on all POST parameters mentioned in the CVE description", "Deploy a Content Security Policy that restricts execution of inline scripts and disallows loading of remote resources", "Restrict administrative access to trusted IP addresses or enforce two\u2011factor authentication", "Continuously monitor administrative logs for unexpected or suspicious post data and conduct regular security reviews of the CMS code"], "summary": {"action": "Patch Immediately", "impact": "Cross\u2011Site scripting leading to arbitrary script execution in administrator browsers"}, "threat_synthesis": {"affected_systems": "The vulnerabilities affect Qool CMS as provided by the manufacturer Qool. Specifically, vulnerabilities exist in administrative scripts located in endpoints including addnewtype, addnewdatafield, addmenu, addusergroup, addnewuserfield, adduser, addgeneraldata, and addcontentitem. No specific version ranges are listed in the CNA data, so all instances of the CMS that have these endpoints and have not yet been patched are potentially impacted.", "description_and_impact": "Qool CMS is affected by multiple persistent cross\u2011site scripting vulnerabilities that allow an attacker to inject malicious JavaScript through a variety of POST parameters such as title, name, email, username, link, and task. These inputs are stored and later rendered unchanged to users of the administrative interface. The primary impact is the execution of arbitrary scripts in the context of the administrator\u2019s browser, enabling session hijacking, credential theft, or defacement. The underlying weakness is reflected input not being properly sanitized, classifying the flaw under a CWE related to XSS attacks.", "risk_and_exploitability": "The CVSS base score is 8.7, indicating high severity. The EPSS score is reported to be <1%, suggesting a low probability of exploitation in the near term, and the flaw is not included in the CISA KEV catalog. The likely attack vector is a web-based POST request sent to the vulnerable administrative endpoints, requiring the attacker to have a mechanism to convince an authenticated administrator to submit the crafted POST data, or to supply the payload as part of a user\u2011generated entry that will then be rendered by an admin. The vulnerability can be successfully exploited if the attacker can affect the POST data in these forms or if an admin inadvertently submits malicious content."}}}}, "created": "2026-03-16T09:21:24.443559+00:00", "updated": "2026-03-23T14:01:34.170258+00:00", "vendors": ["qool", "qool$PRODUCT$qool_cms"]}