CVE-2021-47808

MEDIUM

Cotonti Siena 0.9.19 - Stored Cross-Site Scripting via Maintitle Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47808. PoCs published by Fatih İLGİN.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Cotonti Siena 0.9.19 via the 'maintitle' parameter. The payload is injected through a POST request to the admin configuration panel and triggers when the homepage is visited.

Description

Cotonti Siena 0.9.19 contains a stored cross-site scripting vulnerability in the admin configuration panel's site title parameter. Attackers can inject malicious JavaScript code through the 'maintitle' parameter to execute scripts when administrators view the page.

Exploits (1)

exploitdb WORKING POC
by Fatih İLGİN · textwebappsphp
https://www.exploit-db.com/exploits/50016

This exploit demonstrates a stored XSS vulnerability in Cotonti Siena 0.9.19 via the 'maintitle' parameter. The payload is injected through a POST request to the admin configuration panel and triggers when the homepage is visited.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Cotonti Siena 0.9.19
Auth required
Prerequisites: Admin access to the Cotonti Siena application
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 5.4
EPSS 0.0024
EPSS Percentile 14.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
cotonti/cotonti_siena 0.9.19
cotonti.com/Cotonti Siena 0.9.19
Published Jan 16, 2026
Tracked Since Feb 18, 2026