CVE-2020-29240

MEDIUM

Lepton-CMS 4.7.0 - Stored Cross-Site Scripting via Admin URL Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-29240. PoCs published by Sagar Banwa.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in LEPTON CMS 4.7.0 by injecting a malicious payload into the 'URL' parameter of a page. The payload is executed when a user interacts with the injected element (e.g., via onmouseover event).

Description

Lepton-CMS 4.7.0 is affected by cross-site scripting (XSS). An attacker can inject the XSS payload in the URL field of the admin page and each time an admin visits the Menu-Pages-Pages Overview section, the XSS will be triggered.

Exploits (1)

exploitdb WORKING POC

by Sagar Banwa · textwebappsphp

https://www.exploit-db.com/exploits/49137

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in LEPTON CMS 4.7.0 by injecting a malicious payload into the 'URL' parameter of a page. The payload is executed when a user interacts with the injected element (e.g., via onmouseover event).

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: LEPTON CMS 4.7.0

Auth required

Prerequisites: Admin access to LEPTON CMS · Vulnerable version of LEPTON CMS (4.7.0)

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/49137

Product, Vendor Advisory x_refsource_misc

https://lepton-cms.org/english/home.php

Scores

CVSS v3 4.8

EPSS 0.0167

EPSS Percentile 73.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

lepton-cms/leptoncms 4.7.0

Published Dec 02, 2020

Tracked Since Feb 18, 2026