CVE-2020-37111

MEDIUM

60CycleCMS 2.5.2 - XSS

Title source: llm

Description

60CycleCMS 2.5.2 contains a cross-site scripting (XSS) vulnerability in news.php that allows attackers to inject malicious scripts through GET parameters. Attackers can craft malicious URLs with XSS payloads targeting the 'etsu' and 'ltsu' parameters to execute arbitrary scripts in victim's browsers. This issue does not involve SQL injection.

Exploits (1)

exploitdb WRITEUP

by Unkn0wn · textwebappsphp

https://www.exploit-db.com/exploits/48177

View Code ZIP pw:eip

References (4)

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/48177

[Various Sources] http://davidvg.com/

[Various Sources] https://www.opensourcecms.com/60cyclecms

[Third Party Advisory] https://www.vulncheck.com/advisories/cyclecms-newsphp-cross-site-scripting-xss-vulnerability

Scores

CVSS v3 6.1

EPSS 0.0004

EPSS Percentile 10.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

opensourcecms/60cyclecms 2.5.2

Published Feb 03, 2026

Tracked Since Feb 18, 2026