vendor:
WonderCMS
by:
SunCSR (Sun* Cyber Security Research)
8.8
CVSS
HIGH
Stored Cross-Site Scripting
79
CWE
Product Name: WonderCMS
Affected Version From: 3.1.3
Affected Version To: 3.1.3
Patch Exists: YES
Related CWE: N/A
CPE: a:wondercms:wondercms:3.1.3
Metasploit:
N/A
Other Scripts:
N/A
Platforms Tested: Ubuntu 20.10
2020
WonderCMS 3.1.3 – ‘uploadFile’ Stored Cross-Site Scripting
WonderCMS 3.1.3 is vulnerable to stored cross-site scripting (XSS) via the 'uploadFile' parameter. An attacker can upload a malicious file containing a payload XSS with an extension such as HTML, SVG, or HTM. The malicious file can then be accessed via the URL http://target.lc/data/files/<name-file> and the XSS payload can be triggered.
Mitigation:
Ensure that user-supplied input is properly sanitized and validated before being used in the application.
