Login Sign Up

CVE-2020-4041

7.4 HIGH
Cross-Site Scripting

📋 TL;DR

This stored XSS vulnerability in Bolt CMS allows attackers to inject malicious JavaScript into uploaded filenames after initial upload by renaming files. Attackers can circumvent filename extension restrictions. All Bolt CMS instances before version 3.7.1 are affected.

💻 Affected Systems

Products:
  • Bolt CMS
Versions: All versions before 3.7.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access to upload/rename files. File upload functionality must be enabled.

📦 What is this software?

Bolt by Boltcms

View all CVEs affecting Bolt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites through stored XSS payloads in filenames.

🟠

Likely Case

Attackers with user accounts could inject XSS payloads that affect other users viewing file listings, potentially stealing credentials or performing limited malicious actions.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be rendered harmless as text rather than executed code.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated user access. Public exploit details available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.1

Vendor Advisory: https://github.com/bolt/bolt/security/advisories/GHSA-68q3-7wjp-7q3j

Restart Required: No

Instructions:

1. Backup your Bolt CMS installation and database. 2. Update to Bolt CMS version 3.7.1 or later via composer: 'composer require bolt/core:^3.7.1'. 3. Clear cache if needed.

🔧 Temporary Workarounds

Disable file renaming

all

Temporarily disable file renaming functionality for all users

Implement filename sanitization

all

Add custom validation to sanitize filenames before storage

🧯 If You Can't Patch

  • Restrict file upload permissions to trusted users only
  • Implement web application firewall rules to block XSS payloads in filenames

🔍 How to Verify

Check if Vulnerable:

Check Bolt CMS version in admin panel or via 'composer show bolt/core' command

Check Version:

composer show bolt/core | grep versions

Verify Fix Applied:

Confirm version is 3.7.1 or later and test file renaming with XSS payloads

📡 Detection & Monitoring

Log Indicators:

  • File rename operations with suspicious characters (<, >, script, javascript) in filenames
  • Multiple failed rename attempts with special characters

Network Indicators:

  • HTTP requests with XSS payloads in filename parameters

SIEM Query:

source="web_logs" AND (filename CONTAINS "<script>" OR filename CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2020-4041
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
CWE: CWE-79
Published: June 8, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-4041, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)