CM Table Of Contents - Reflected cross-site scripting (XSS)

Description

CM Table Of Contents - Clear navigation for better content discovery 1.2.6 was found to be vulnerable. The web application dynamically generates web content without validating the source of the potentially untrusted data in myapp/views/backend/admin_importexport.php.

Vulnerability

Skims by Fluid Attacks discovered a Reflected cross-site scripting (XSS) in CM Table Of Contents - Clear navigation for better content discovery 1.2.6. The following is the output of the tool:

Skims output

 45 | <li>Minimal row: <code>"""",""Title"","""",""Description""</code></li>
 46 | </ul>
 47 | </div>
 48 |
 49 | <?php if( isset($_GET['msg']) && $_GET['msg'] == 'imported' ): ?>
 50 | <div id=""message"" class=""updated below-h2"">File <?php
 51 | if( $_GET['itemsnumber'] == 0 ) echo 'import failed';
 52 | else 'succesfully imported';
> 53 | ?> (<?php echo $_GET['itemsnumber']; ?> items read from file)</div>
 54 | <?php endif; ?>
 55 |
 56 | <form method=""post"" enctype=""multipart/form-data"">
 57 | <input type=""file"" name=""importCSV"" />
 58 | <input type=""submit"" value=""Import from CSV"" name=""cmtoc_doImport"" class=""button button-primary""/>
 59 | </form><br />
 60 | Format example:<br />
 61 | <pre>
     ^ Col 0

Our security policy

We have reserved the ID CVE-2025-31303 to refer to this issue from now on. Disclosure policy

System Information

• Product: CM Table Of Contents - Clear navigation for better content discovery

• Version: 1.2.6

Mitigation

There is currently no patch available for this vulnerability.