Skip to content

NukeViet: Unauthenticated Reflected XSS in Comment Module

High severity GitHub Reviewed Published Jul 13, 2026 in nukeviet/nukeviet

Package

composer nukeviet/nukeviet (Composer)

Affected versions

< 4.5.09

Patched versions

4.6.00

Description

Summary

Reflected XSS in the Comment module via the status_comment URL parameter. The parameter accepts attacker-controlled base64-encoded HTML/JavaScript that is decoded server-side and rendered unescaped into the page. Compounded by a second flaw: the checkss anti-forgery token was derived from a site-wide static value (NV_CACHE_PREFIX) instead of a per-session value, making the token reusable across all users and allowing the attack to be delivered via a simple crafted URL.

Details

Vulnerability 1 — Reflected XSS via status_comment

Affected components:

  • modules/comment/funcs/main.php — parameter ingestion
  • modules/comment/comment.php — decode and template assignment
  • themes/*/modules/comment/comment.tpl — raw render

The status_comment GET/POST parameter is sanitised with get_title(), which applies strip_tags(). Because the parameter is intended to carry a base64-encoded string, its character set ([A-Za-z0-9-_,]) passes through strip_tags() unchanged. The value is later decoded with nv_base64_decode() and assigned to the template variable STATUS_COMMENT without any escaping, which the template then renders raw inside a <div>.

The fundamental flaw is ordering: the filter is applied to the encoded form of the data, before decoding, so it is entirely ineffective against whatever the decoded content contains. Any HTML or JavaScript payload, once base64-encoded, survives the filter and executes in the victim's browser.

Vulnerability 2 — Session-independent checkss token

Affected components:

  • modules/comment/comment.php — token validation in comment-load and comment-module functions
  • modules/comment/funcs/post.php — token validation when posting
  • All caller modules that generate a checkss before invoking the comment system (e.g. modules/news, modules/page)

The checkss token required to load the comment block was computed by hashing the resource parameters together with NV_CACHE_PREFIX:

checkss = md5(module + area + id + allowed + NV_CACHE_PREFIX)

NV_CACHE_PREFIX is a static, site-wide constant — identical for every visitor — derived at install time from the site key and server name. The token therefore has the same value for all users viewing the same article and never changes between sessions.

This token is printed into the public HTML of every page that includes a comment block (as a data-checkss attribute on the comment container). Because the token is not session-bound, an attacker can read it from the page source and reuse it in a crafted URL targeting any other user.

The correct pattern, used consistently elsewhere in the codebase (e.g. modules/contact, modules/banners), is to derive the token from NV_CHECK_SESSION:

NV_CHECK_SESSION = md5(NV_CACHE_PREFIX + session_id)

This binds the token to the current session, so a token obtained by the attacker is invalid for any other user's session.

Attack scenario

  1. Attacker opens any article with a comment block and reads the checkss value from the HTML source.
  2. Attacker constructs a payload (e.g. a credential-phishing overlay) and base64-encodes it.
  3. Attacker delivers the following URL to the victim:
    https://<target>/index.php?language=vi&nv=comment&comment_load=1
      &module=news&area=<area>&id=<id>&allowed=<allowed>
      &checkss=<value_from_step_1>
      &status_comment=<base64_payload>
    
  4. When the victim opens the URL, the decoded payload renders in their browser within the site's origin, with access to cookies, session storage, and the ability to make authenticated requests.

Verified impact: A phishing overlay form was confirmed to transmit captured plaintext credentials to an attacker-controlled server. No authentication is required at any step.

CSP note: NukeViet's Content-Security-Policy includes script-src 'unsafe-inline' and does not restrict navigation, so the policy does not prevent exploitation.

CVSS 3.1

Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Base Score: 8.2 (High)

Metric Value Rationale
Attack Vector Network Exploitable remotely via crafted URL
Attack Complexity Low checkss readable from public HTML; no special setup required
Privileges Required None No authentication needed
User Interaction Required Victim must open the crafted URL
Scope Changed JavaScript executes in victim's browser, crossing the application security boundary
Confidentiality High Full plaintext credential capture demonstrated via phishing overlay
Integrity Low DOM manipulation and authenticated requests possible; no direct backend write access
Availability None No denial-of-service impact

Patches

Both root causes are addressed:

Fix 1 — Bind checkss to user session: Replace NV_CACHE_PREFIX with NV_CHECK_SESSION in all locations that generate or validate the comment checkss token — both inside the comment module itself and in any caller module that constructs the token before invoking the comment system. With a session-bound token, a value obtained by the attacker is invalid for any other user's session, removing the delivery mechanism for this attack.

Fix 2 — Escape decoded output before rendering: Apply nv_htmlspecialchars() to the result of nv_base64_decode($status_comment) before assigning it to the template. This closes the XSS sink as an independent defence-in-depth measure, remaining effective regardless of how the code path is reached.

Fix 1 alone eliminates the exploitability of this specific vector. Fix 2 is a necessary defence-in-depth layer that closes the underlying sink.

CWE

  • CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
  • CWE-565: Reliance on Cookies without Validation and Integrity Checking (contributing factor — session-independent token)

References

@hoaquynhtim99 hoaquynhtim99 published to nukeviet/nukeviet Jul 13, 2026
Published to the GitHub Advisory Database Jul 13, 2026
Reviewed Jul 13, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

EPSS score

Weaknesses

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. Learn more on MITRE.

CVE ID

CVE-2026-48118

GHSA ID

GHSA-mxpf-qgg6-v3ff

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.