CVE-2013-20006 HIGH

CVE-2013-20006: Qool CMS Multiple Persistent Cross-Site Scripting Vulnerabilities

Vendor Qool
Product Qool CMS
Weakness CWE-79 · XSS
Published March 15, 2026
Last update March 16, 2026
View on NVD All CVEs

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users. Attackers can inject malicious JavaScript code through parameters like 'title', 'name', 'email', 'username', 'link', and 'task' in endpoints such as addnewtype, addnewdatafield, addmenu, addusergroup, addnewuserfield, adduser, addgeneraldata, and addcontentitem to execute arbitrary scripts in administrator browsers.

Key dates

02Disclosure timeline

March 15, 2026 CVE published
March 16, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-6473 code-projects School Fees Payment System fees.php cross site scripting CVE-2024-8236 Elementor Website Builder – More than Just a Page Builder <= 3.25.7 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2023-3726 OCSInventory-ocsreports 2.12.0 - Stored cross-site Scripting CVE-2024-56262 WordPress GS Coaches plugin <= 1.1.0 - Cross Site Scripting (XSS) vulnerability CVE-2024-32966 Stored Cross-site Scripting in directory listings via file names in static-web-server