Cross-Site Scripting (XSS) vulnerability on WideStand CMS of Acilia

Posted date 02/08/2023
3 - Medium
Affected Resources

Widestand CMS, versions 5.3.5 and prior.


INCIBE has coordinated the publication of a vulnerability affecting WideStand CMS, a professional CMS solution developed by Acilia y based on Symfony framework, which has been discovered by Ángel Heredia Pérez, of Telefónica Tech. 

The following code has been assigned to this vulnerability:


  • CVSS v3.1 base score: 5.4.
  • CVSS vector string: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N.
  • Vulnerability type: CWE-79: CWE-79: improper neutralization of input during web page generation (Cross-site Scripting).

There is no reported solution at this time.


CVE-2023-4090: Cross-site Scripting (XSS) reflected vulnerability on WideStand until 5.3.5 version, which generates one of the meta tags directly using the content of the queried URL, which would allow an attacker to inject HTML/Javascript code into the response.