CVE-2020-37237 Overview
CVE-2020-37237 is a persistent cross-site scripting (XSS) vulnerability affecting Composr CMS 10.0.34. The flaw resides in the banner management interface, where the Description field of the Add banner functionality fails to sanitize user-supplied input. Authenticated administrators can inject arbitrary JavaScript payloads that are stored server-side and executed in the browser of every visitor to the home page. The issue is tracked under CWE-79 and is detailed in the VulnCheck Compo.SR Advisory and Exploit-DB #49190.
Critical Impact
Stored XSS in banner descriptions executes attacker-controlled JavaScript for all home page visitors, enabling session theft, credential harvesting, and drive-by browser exploitation.
Affected Products
- Composr CMS 10.0.34
- Banner management module (Add banner functionality)
- Public-facing home page rendering banners
Discovery Timeline
- 2026-05-16 - CVE-2020-37237 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2020-37237
Vulnerability Analysis
The vulnerability is a stored (persistent) cross-site scripting flaw in Composr CMS 10.0.34. The banner administration page accepts a Description parameter that is written to the database without HTML encoding or input sanitization. When the CMS later renders banners on the home page, the unsanitized description is emitted directly into the response HTML.
Any payload supplied at banner creation time executes in the security context of the Composr CMS origin for every visitor. Because the payload persists in storage, exploitation does not require interaction with the attacker — visitors trigger execution simply by browsing the home page.
Exploitation requires authenticated administrator privileges, which limits the attack surface. However, the impact extends to unauthenticated end users and other administrators whose sessions can be hijacked once the payload fires.
Root Cause
The root cause is missing output encoding on the banner Description field. Composr CMS does not apply context-aware HTML escaping when rendering banner metadata, allowing raw <script> tags and event handler attributes to reach the DOM. This is a classic CWE-79 failure where data flows from a privileged input into an HTML sink without sanitization.
Attack Vector
An attacker with valid administrator credentials authenticates to the Composr CMS admin panel and navigates to the banner management interface. The attacker submits a new banner with a JavaScript payload placed in the Description field. Once saved, every subsequent home page request returns HTML containing the payload, which executes in each visitor's browser.
Typical exploitation goals include stealing session cookies from authenticated administrators, performing CSRF-like actions on behalf of victims, redirecting visitors to malicious infrastructure, or delivering browser exploits. Full technical reproduction steps are documented in Exploit-DB #49190.
Detection Methods for CVE-2020-37237
Indicators of Compromise
- Banner records containing <script>, onerror=, onload=, or javascript: substrings in the Description column of the Composr CMS database.
- Outbound requests from visitor browsers to unfamiliar domains immediately after loading the Composr CMS home page.
- Unexpected administrator account creation or privilege changes following home page visits by authenticated admins.
Detection Strategies
- Query the Composr CMS banner table for description fields containing HTML tags or JavaScript event handlers.
- Review web server access logs for POST requests to banner administration endpoints originating from unexpected source IPs or at unusual times.
- Deploy a Content Security Policy (CSP) in report-only mode to surface inline script execution on banner-rendering pages.
Monitoring Recommendations
- Enable audit logging on the Composr CMS administration interface and forward events to a centralized SIEM for correlation.
- Alert on administrator authentication from new geolocations or user agents preceding banner modifications.
- Monitor browser telemetry from corporate endpoints for anomalous script execution on trusted Composr CMS domains.
How to Mitigate CVE-2020-37237
Immediate Actions Required
- Audit all existing banners in Composr CMS 10.0.34 and remove any containing HTML or script content in the Description field.
- Rotate administrator credentials and invalidate active sessions if unauthorized banner modifications are found.
- Restrict access to the banner management interface to a minimal set of trusted administrator accounts.
Patch Information
No vendor patch reference is listed in the NVD entry for CVE-2020-37237. Administrators should monitor the Compo.SR Download Page for updated releases and review the VulnCheck Compo.SR Advisory for vendor guidance.
Workarounds
- Apply a strict Content Security Policy that disallows inline scripts (script-src 'self') on pages that render banners.
- Place a web application firewall (WAF) rule in front of Composr CMS that blocks requests to banner endpoints containing HTML tags or JavaScript keywords in the description parameter.
- Enforce multi-factor authentication on all administrator accounts to reduce the likelihood of credential abuse leading to banner injection.
# Example CSP header to mitigate inline script execution
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
