CVE-2020-23376: 
noneCms vulnerability analysis and mitigation

NoneCMS v1.3 contains a Cross-Site Request Forgery (CSRF) vulnerability in public/index.php/admin/nav/add.html. The vulnerability allows attackers to add a navigation column which can be injected with arbitrary web script or HTML via the name parameter to launch a stored XSS attack (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The CVSS v2.0 Base Score is 4.3 (MEDIUM) with vector (AV:N/AC:M/Au:N/C:N/I:P/A:N). The vulnerability is classified as CWE-352: Cross-Site Request Forgery (CSRF) which occurs when a web application does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request (CWE).

The vulnerability allows attackers to perform unauthorized actions by tricking authenticated users into submitting malicious requests. In this case, attackers can add navigation columns containing malicious scripts or HTML content, leading to stored XSS attacks that could potentially compromise user sessions or steal sensitive information (NVD).