CVE-2013-0807 in gpEasy
Summary
by MITRE
Cross-site scripting (XSS) vulnerability in the NewSectionPrompt function in include/tool/editing_page.php in gpEasy CMS 3.5.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the section parameter in a new_section action to index.php.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/09/2026
The CVE-2013-0807 vulnerability represents a critical cross-site scripting flaw within the gpEasy Content Management System version 3.5.2 and earlier installations. This vulnerability specifically targets the NewSectionPrompt function located in the include/tool/editing_page.php file, which serves as a core component for managing content sections within the CMS framework. The flaw manifests when the system fails to properly sanitize user input passed through the section parameter during a new_section action executed via index.php, creating an exploitable entry point for malicious actors to inject arbitrary web scripts or HTML content.
The technical nature of this vulnerability aligns with CWE-79, which categorizes cross-site scripting as a code injection flaw where untrusted data is directly incorporated into web pages without proper validation or sanitization. The vulnerability operates by bypassing the CMS's input validation mechanisms, allowing attackers to manipulate the section parameter to inject malicious payloads that execute in the context of other users' browsers. This occurs because the application does not adequately filter or escape user-supplied data before incorporating it into dynamic web page content, creating a persistent threat vector that can be exploited across multiple user sessions.
From an operational perspective, this vulnerability poses significant risks to both administrators and end-users of gpEasy CMS installations. Remote attackers can leverage this flaw to execute malicious scripts in victims' browsers, potentially leading to session hijacking, credential theft, or unauthorized administrative actions. The impact extends beyond simple data theft as attackers can manipulate the content management interface to inject malicious code that persists across multiple user interactions. This type of vulnerability can also facilitate more sophisticated attacks such as phishing campaigns or the delivery of malware through browser-based exploits, making it particularly dangerous for organizations relying on the CMS for content management and user interaction.
The exploitation of this vulnerability demonstrates the importance of input validation and output encoding practices as outlined in the OWASP Top Ten security principles. Security professionals should implement comprehensive mitigation strategies including immediate patching of affected gpEasy CMS versions, implementing proper input sanitization routines, and deploying web application firewalls to detect and prevent malicious payload delivery. Additionally, organizations should conduct regular security assessments of their CMS installations and maintain updated vulnerability management processes to prevent similar issues from occurring in other components of their web infrastructure. The ATT&CK framework categorizes this vulnerability under the T1059.007 technique for script injection, highlighting the need for defensive measures that specifically address browser-based code execution vulnerabilities.