CVE-2020-37240

MEDIUM

Queue Management System 4.0.0 Stored XSS via Add User

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37240. PoCs published by Kislay Kumar.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Queue Management System 4.0.0 by injecting a malicious payload into user input fields, which executes when viewed in the user list.

Description

Queue Management System 4.0.0 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through user creation fields. Attackers can insert JavaScript payloads in the First Name, Last Name, and Email fields during user creation, which execute when viewing the User List page.

Exploits (1)

exploitdb WORKING POC
by Kislay Kumar · textwebappsphp
https://www.exploit-db.com/exploits/49296

This exploit demonstrates a stored XSS vulnerability in Queue Management System 4.0.0 by injecting a malicious payload into user input fields, which executes when viewed in the user list.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Queue Management System 4.0.0
Auth required
Prerequisites: admin access to the application
devstral-2 · analyzed May 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit exploit
ExploitDB-49296
https://www.exploit-db.com/exploits/49296
Product product
Official Product Homepage
http://codekernel.net/
Third Party Advisory third-party-advisory
VulnCheck Advisory: Queue Management System 4.0.0 Stored XSS via Add User
https://www.vulncheck.com/advisories/queue-management-system-stored-xss-via-add-user

Scores

CVSS v3 6.4
EPSS 0.0024
EPSS Percentile 15.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Codekernel/Queue Management System 4.0.0
Published May 16, 2026
Tracked Since May 16, 2026