CVE-2021-47950 Overview
CVE-2021-47950 is a stored cross-site scripting vulnerability [CWE-79] in Advanced Guestbook 2.4.4. The flaw resides in the smilies administration interface accessible through admin.php. Authenticated attackers can inject arbitrary JavaScript by manipulating the s_emotion parameter in POST requests. The injected payload persists in the application and executes when an administrator views the smilies tab.
The vulnerability requires low-privilege authentication and user interaction from a victim administrator. Successful exploitation enables session hijacking, administrative action forgery, and content manipulation within the affected guestbook installation.
Critical Impact
Authenticated attackers can persist malicious JavaScript that executes in administrator browsers, enabling account takeover and full guestbook compromise.
Affected Products
- Advanced Guestbook 2.4.4
- AMPPS Advanced Guestbook distribution
- Earlier versions sharing the vulnerable smilies handler
Discovery Timeline
- 2026-05-10 - CVE-2021-47950 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2021-47950
Vulnerability Analysis
The vulnerability is a persistent cross-site scripting flaw in the smilies management feature of Advanced Guestbook 2.4.4. The application accepts user-supplied input through the s_emotion POST parameter without sanitization or output encoding. The value is stored server-side and later rendered into the administrative HTML response when an operator opens the smilies tab.
Because the payload executes in the administrative context, attackers can perform any action available to the logged-in admin. This includes creating accounts, modifying guestbook entries, exfiltrating session cookies, and pivoting toward the underlying hosting environment. The Common Weakness Enumeration mapping is [CWE-79] Improper Neutralization of Input During Web Page Generation.
The EPSS probability for this CVE is 0.032% with a percentile of 9.393, reflecting limited automated exploitation activity. A public proof of concept is available through Exploit-DB entry 49875.
Root Cause
The root cause is missing input validation and output encoding on the s_emotion field within the smilies administration handler in admin.php. The application trusts authenticated administrative input and writes it directly into the rendered HTML without HTML-entity encoding or contextual escaping.
Attack Vector
An authenticated attacker submits a crafted POST request to admin.php with JavaScript content in the s_emotion parameter. The payload is stored in the smilies configuration. When a higher-privileged administrator subsequently loads the smilies tab, the browser parses and executes the injected script under the application's origin. See the VulnCheck Advisory on XSS and Exploit-DB #49875 for technical details.
Detection Methods for CVE-2021-47950
Indicators of Compromise
- POST requests to admin.php containing <script>, onerror=, or javascript: substrings in the s_emotion parameter
- Smilies configuration records storing HTML or JavaScript syntax rather than emoticon text
- Unexpected outbound requests from administrator browser sessions immediately after loading the smilies tab
- New administrative accounts or modified entries created shortly after an admin session
Detection Strategies
- Inspect web server access logs for POST traffic to admin.php with suspicious s_emotion values
- Apply WAF signatures that flag script tags, event handlers, and encoded JavaScript in form parameters
- Review the smilies database table for entries containing markup or non-printable characters
- Correlate administrator authentication events with subsequent anomalous administrative actions
Monitoring Recommendations
- Enable verbose application logging for the smilies administration endpoint
- Forward web server and database logs to a centralized analytics platform for retention and search
- Alert on Content Security Policy violations reported by administrator browsers
- Monitor for outbound HTTP requests from admin sessions to untrusted external hosts
How to Mitigate CVE-2021-47950
Immediate Actions Required
- Restrict access to admin.php using IP allowlisting or HTTP authentication at the web server layer
- Audit all existing smilies records and remove any entries containing HTML or script content
- Rotate administrative credentials and invalidate active sessions
- Deploy a Content Security Policy that disallows inline script execution in administrative pages
Patch Information
No vendor patch has been published in the available references. Operators should evaluate migration away from Advanced Guestbook 2.4.4 or apply input sanitization manually to the smilies handler. Review the AMPPS Advanced Guestbook project page for any updated distributions.
Workarounds
- Disable the smilies administration interface if it is not required for normal operation
- Place a web application firewall in front of the application with rules blocking script payloads in s_emotion
- Apply server-side HTML-entity encoding to smilies fields before storage and on output rendering
- Limit administrative access to trusted networks via VPN or reverse proxy authentication
# Example nginx rule blocking script payloads in the s_emotion parameter
location = /admin.php {
if ($request_method = POST) {
if ($request_body ~* "s_emotion=[^&]*(<script|onerror=|javascript:)") {
return 403;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
