CVE-2023-48824 in BoidCMS
Summary
by MITRE • 12/07/2023
BoidCMS 2.0.1 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the title, subtitle, footer, or keywords parameter in a page=create action.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/01/2026
The vulnerability identified as CVE-2023-48824 affects BoidCMS version 2.0.1 and represents a critical security flaw that allows attackers to inject malicious scripts into web applications through stored cross-site scripting vulnerabilities. This issue specifically manifests when users submit data through the page=create action, where parameters including title, subtitle, footer, and keywords are processed without adequate input sanitization or output encoding mechanisms. The vulnerability falls under the CWE-79 category of Cross-Site Scripting, which is classified as a common weakness in web application security and is frequently targeted by attackers due to its prevalence and potential impact on user sessions and data integrity.
The technical exploitation of this vulnerability occurs when an attacker crafts malicious script code within any of the vulnerable parameters during page creation operations. When other users view pages containing these stored malicious inputs, the scripts execute in their browsers, potentially leading to session hijacking, credential theft, or redirection to malicious websites. The stored nature of this XSS vulnerability means that the malicious payloads persist in the application's database and are served to all users who access the affected content, making the attack vector particularly dangerous as it can affect multiple users over extended periods. This vulnerability aligns with ATT&CK technique T1531 which describes the use of malicious scripts to gain access to user sessions and data.
The operational impact of CVE-2023-48824 extends beyond simple script execution as it can enable attackers to manipulate the content and functionality of the BoidCMS platform. An attacker could potentially modify page titles to display misleading information, alter footers to include malicious links, or inject scripts that redirect users to phishing sites. The vulnerability affects the core content management functionality of the platform, potentially allowing unauthorized modification of website content and undermining the trust users place in the site's integrity. Additionally, the compromised system could serve as a launchpad for further attacks within the network if the CMS is integrated with other systems or if users with elevated privileges access the compromised pages.
Mitigation strategies for this vulnerability should include immediate implementation of proper input validation and output encoding mechanisms across all user-facing parameters. The application should sanitize all inputs through comprehensive filtering that removes or encodes potentially dangerous characters and sequences before storing user data. Organizations should implement Content Security Policy headers to limit the execution of unauthorized scripts and consider using secure coding practices such as parameterized queries and proper HTML escaping. The most effective remediation involves updating to a patched version of BoidCMS that addresses the XSS vulnerabilities in the page creation functionality, while also conducting thorough security reviews of all user input handling mechanisms to prevent similar issues in other parts of the application. System administrators should also monitor user-generated content for suspicious patterns and implement regular security testing to identify potential vulnerabilities before they can be exploited by malicious actors.