CVE-2013-20006

HIGH

Qool CMS Multiple Persistent Cross-Site Scripting Vulnerabilities

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-20006. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates a CSRF vulnerability in Qool CMS v2.0 RC2, allowing an attacker to add a root-level user via a crafted HTML form. It also includes multiple XSS injection examples targeting various admin endpoints.

Description

Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users. Attackers can inject malicious JavaScript code through parameters like 'title', 'name', 'email', 'username', 'link', and 'task' in endpoints such as addnewtype, addnewdatafield, addmenu, addusergroup, addnewuserfield, adduser, addgeneraldata, and addcontentitem to execute arbitrary scripts in administrator browsers.

Exploits (1)

exploitdb WORKING POC VERIFIED
by LiquidWorm · textwebappsphp
https://www.exploit-db.com/exploits/24627

This exploit demonstrates a CSRF vulnerability in Qool CMS v2.0 RC2, allowing an attacker to add a root-level user via a crafted HTML form. It also includes multiple XSS injection examples targeting various admin endpoints.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Qool CMS v2.0 RC2
Auth required
Prerequisites: Victim must be logged into the admin panel · Attacker must trick victim into visiting a malicious page
devstral-2 · analyzed Mar 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit
ExploitDB-24627
https://www.exploit-db.com/exploits/24627
Vendor Advisory vendor-advisory
Vulnerability Advisory
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5133.php
Third Party Advisory third-party-advisory
VulnCheck Advisory: Qool CMS Multiple Persistent Cross-Site Scripting Vulnerabilities
https://www.vulncheck.com/advisories/qool-cms-multiple-persistent-cross-site-scripting-vulnerabilities

Scores

CVSS v3 7.5
EPSS 0.0036
EPSS Percentile 27.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Qool/Qool CMS 2.0
Published Mar 16, 2026
Tracked Since Mar 16, 2026