MaxSite CMS versions 109.0 through 109.3 contain a cross-site scripting vulnerability in the down_count plugin due to insufficient sanitization of the f_file/f_prefix parameters. This allows remote attackers to inject scripts by manipulating these arguments. The vendor addressed the issue by implementing htmlspecialchars() filtering in version 109.4, which prevents the injection of malicious code and incorrect data display. The vulnerability is classified as a 'Self-XSS' by the vendor, indicating that exploitation requires user interaction. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, and user interaction needed, with limited impact on integrity and no impact on confidentiality or availability.

The vulnerability allows an attacker to perform cross-site scripting attacks by injecting malicious scripts through the f_file/f_prefix parameters in the down_count plugin. This could lead to the execution of arbitrary scripts in the context of the affected user's browser, potentially resulting in data manipulation or session hijacking. However, the vendor classifies this as a 'Self-XSS', implying that exploitation requires the user to knowingly execute malicious input, reducing the risk of widespread automated attacks. The CVSS score of 4.8 reflects a medium severity impact with limited integrity impact and no confidentiality or availability impact.

Upgrade MaxSite CMS to version 109.4 or later, where the vulnerability has been fixed by adding htmlspecialchars() filtering to the affected parameters. This official fix prevents the injection of malicious scripts and incorrect data display. Since the vendor has deployed this countermeasure, no additional action is required beyond applying the update.