CVE-2021-47906
Unknown Unknown - Not Provided
Stored XSS in BloofoxCMS Articles Text Allows Cookie Theft

Publication date: 2026-01-23

Last updated on: 2026-01-23

Assigner: VulnCheck

Description
BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal authenticated users' cookies.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-01-23
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47906
EUVD
EUVD-2026-4295
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
unknown_vendor bloofoxcms From 0.5.1.0 (inc) to 0.5.2.1 (inc)
unknown_vendor bloofoxcms 0.5.2.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47906 is a stored cross-site scripting (XSS) vulnerability in bloofoxCMS versions 0.5.1.0 through 0.5.2.1. It exists in the 'text' parameter of articles, allowing authenticated attackers to inject malicious JavaScript payloads. When these scripts are stored and later executed in the context of authenticated users viewing the affected content, attackers can perform actions such as stealing user cookies and potentially hijacking sessions. [1, 2]

Impact Analysis

This vulnerability can impact you by allowing an attacker with valid login credentials to inject malicious scripts into article content. When other authenticated users view this content, the malicious scripts execute in their browsers, potentially stealing their cookies and session information. This can lead to unauthorized access to user accounts, session hijacking, and other malicious activities within the CMS environment. [1, 2]

Detection Guidance

This vulnerability can be detected by checking for the presence of malicious JavaScript payloads injected into the 'text' parameter of articles within the administrative interface of bloofoxCMS versions 0.5.1.0 through 0.5.2.1. Specifically, an authenticated user can verify if the 'text' field in articles contains suspicious scripts such as <img src=# onerror=alert('xss')>. Detection involves logging into the admin panel, navigating to the articles section, and inspecting the content of articles for injected scripts. There are no specific network commands provided, but manual inspection or automated scanning tools targeting stored XSS in the 'text' parameter can be used. [2]

Mitigation Strategies

Immediate mitigation steps include restricting access to the administrative interface to trusted users only, ensuring that only authenticated and authorized users can create or edit articles. Additionally, applying input validation and output encoding on the 'text' parameter to neutralize malicious scripts is critical. If possible, upgrade to a version of bloofoxCMS that patches this vulnerability or apply patches provided by the vendor. As a temporary measure, review and remove any suspicious scripts from existing articles to prevent exploitation. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47906. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart