Executive Summary

CVE-2026-37700 is a Cross Site Scripting (XSS) vulnerability in MaxSite CMS version 109.2 that allows low-privilege backend users to upload malicious HTML files via the backend page file upload endpoint.

The vulnerability arises because the upload endpoint does not properly enforce permission checks and only verifies if a user is logged in, allowing any logged-in user, including low-privilege content authors, to upload files.

Although the system restricts some file extensions, it still permits HTML files, which can contain malicious JavaScript. An attacker can upload a crafted HTML file containing JavaScript that, when accessed by a higher-privileged user, can perform unauthorized actions such as accessing sensitive admin pages or disclosing backend information.

Exploitation requires only a valid backend session, which can be obtained via a session cookie or by logging in with a local account.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to significant security impacts including unauthorized disclosure of sensitive backend information and potential further compromise of the CMS backend.

An attacker with low privileges can upload malicious HTML files containing JavaScript that can be triggered by higher-privileged users, enabling actions such as stealing sensitive data or performing unauthorized administrative operations.

This can result in loss of confidentiality, integrity, and possibly availability of the CMS and its data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for unauthorized file uploads to the backend upload endpoint `uploads-require-maxsite.php` that allow HTML files to be uploaded by low-privilege users.

One way to detect exploitation attempts is to monitor HTTP requests to the upload endpoint for POST requests containing HTML files or suspicious payloads.

• Use network monitoring tools (e.g., Wireshark, tcpdump) to filter traffic to the upload endpoint and look for POST requests with HTML content.
• On the server, check the upload directories for unexpected HTML files, especially those recently created or modified.
• Example command to find suspicious HTML files in the upload directory: `find /path/to/uploads -name '*.html' -mtime -7` (to find HTML files modified in the last 7 days).
• Review web server logs for POST requests to `uploads-require-maxsite.php` by users without proper permissions.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable upload endpoint and preventing unauthorized file uploads.

• Restrict access to `uploads-require-maxsite.php` to only trusted, high-privilege users by implementing proper permission checks.
• Temporarily disable or restrict file uploads via the backend upload endpoint until a patch or update is applied.
• Remove or quarantine any suspicious HTML files found in the upload directories.
• Monitor backend sessions and invalidate any suspicious or unknown sessions to prevent attackers from exploiting the vulnerability.
• Apply any available patches or updates from MaxSite CMS once released to fix the access control flaw.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in MaxSite CMS v.109.2 allows unauthorized low-privilege users to upload malicious HTML files that can disclose sensitive backend information. This unauthorized disclosure of sensitive information can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls to protect personal and sensitive data from unauthorized access or exposure.

By enabling attackers to access or disclose sensitive admin information through Cross Site Scripting (XSS) attacks, the vulnerability undermines the confidentiality and integrity of data, potentially violating regulatory requirements for data security and privacy.

Useful 0 Not Useful 0