CVE-2020-35853

MEDIUM

4images 1.7.11 - Stored Cross-Site Scripting via Image URL

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-35853. PoCs published by Ritesh Gohil.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in 4images v1.7.11, where an attacker can inject malicious JavaScript payloads into the 'Profile Image' URL field. The payload executes when users access the compromised URL, potentially leading to cookie theft or other client-side attacks.

Description

4images Image Gallery Management System 1.7.11 is affected by cross-site scripting (XSS) in the Image URL. This vulnerability can result in an attacker to inject the XSS payload into the IMAGE URL. Each time a user visits that URL, the XSS triggers and the attacker can be able to steal the cookie according to the crafted payload.

Exploits (1)

exploitdb WRITEUP

by Ritesh Gohil · textwebappsphp

https://www.exploit-db.com/exploits/49339

View Code ZIP pw:eip

This is a writeup describing a stored XSS vulnerability in 4images v1.7.11, where an attacker can inject malicious JavaScript payloads into the 'Profile Image' URL field. The payload executes when users access the compromised URL, potentially leading to cookie theft or other client-side attacks.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: 4images v1.7.11

Auth required

Prerequisites: Admin access to the 4images panel · Ability to upload/modify image URLs

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/49339

Scores

CVSS v3 4.8

EPSS 0.0059

EPSS Percentile 43.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

4homepages/4images 1.7.11

Published Jan 26, 2021

Tracked Since Feb 18, 2026