CVE-2026-58144 in Sienainfo

Summary

by MITRE • 07/10/2026

Cotonti Siena 0.9.26 and earlier contains a stored cross-site scripting vulnerability that allows authenticated users with PFS access to inject arbitrary script payloads by supplying malicious HTML in the ntitle parameter processed through the TXT filter in pfs.main.php. Attackers can create a folder with a crafted title containing script tags that are stored unescaped in the database and execute in the browser of any user who views the folder listing, including administrators.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability exists within Cotonti Siena version 0.9.26 and earlier, representing a critical stored cross-site scripting flaw that can be exploited by authenticated users possessing PFS (Personal File Space) access privileges. The security weakness stems from inadequate input sanitization within the pfs.main.php script where the ntitle parameter is processed through the TXT filter without proper HTML escaping mechanisms. When an attacker creates a folder with malicious HTML content in the title field, the system stores this unfiltered input directly into the database without appropriate encoding or sanitization.

The technical implementation of this vulnerability allows attackers to inject arbitrary script payloads that persist in the system's database storage. The flaw specifically occurs during the processing of user-supplied folder titles through the TXT filter mechanism in pfs.main.php, which fails to properly escape HTML characters before storing the data. This creates a scenario where malicious JavaScript code embedded within folder names can be executed whenever any user views the folder listing page, including administrators who may have elevated privileges and access to sensitive system information.

The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with persistent access vectors that can compromise entire administrative sessions. Any user who accesses the affected folder listing pages will execute the stored malicious scripts within their browser context, potentially allowing for session hijacking, credential theft, or further exploitation of the web application. The vulnerability affects not only regular users but also administrators who may inadvertently view compromised folder listings, creating a significant risk to system integrity and data confidentiality.

This vulnerability maps directly to CWE-79 - Cross-site Scripting and aligns with ATT&CK technique T1566.001 - Phishing: Spearphishing Attachment, as it enables attackers to create malicious content that executes in the context of legitimate user sessions. The attack chain begins with authenticated access through PFS privileges and leverages the application's failure to sanitize user input before database storage. Organizations should implement immediate mitigations including input validation at multiple layers, proper HTML escaping for all user-supplied content, and regular security audits of input processing functions. Additionally, implementing Content Security Policy headers and adopting a principle of least privilege for PFS access can significantly reduce the attack surface and potential impact of such vulnerabilities.

The stored nature of this XSS vulnerability makes it particularly dangerous as the malicious payloads persist in the database and execute automatically whenever affected pages are rendered. This characteristic allows attackers to maintain persistent access vectors without requiring repeated exploitation attempts, making the vulnerability more impactful than reflected XSS variants. The combination of authenticated access requirements with the ability to target administrator sessions creates a high-risk scenario where attackers can potentially escalate privileges or gain unauthorized access to sensitive system functionality through the execution of malicious scripts in administrative contexts.

Responsible

VulnCheck

Reservation

06/29/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!