Starnightcyber

Name of the Vulnerable Software and Affected Versions: EasyCMS version 1.3 Description: The issue concerns a Stored XSS problem that occurs when posting an article. Four fields are affected: `title`, `keyword`, `abstract`, and `content`. This can be demonstrated through the "/admin/index/index.html#listarticle" API endpoint. Recommendations: For EasyCMS version 1.3, as a temporary workaround, consider restricting user input for the `title`, `keyword`, `abstract`, and `content` fields to minimize the risk of exploitation. Additionally, avoid using the "/admin/index/index.html#listarticle" endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: HongCMS version 3.0.0 Description: An issue was discovered in the post news feature, which has Stored XSS via the `content` field. Recommendations: For HongCMS version 3.0.0, update to a newer version that contains a fix for this issue, or as a temporary workaround, consider validating and sanitizing user input in the `content` field to prevent XSS attacks.

Name of the Vulnerable Software and Affected Versions: MiniCMS version 1.10 Description: The issue allows remote attackers to obtain a directory listing of the top-level directory of the web root. This can be achieved by creating a link that becomes available after posting an article, specifically targeting the mc-admin/post.php file. Recommendations: For MiniCMS version 1.10, consider restricting access to the mc-admin/post.php file to prevent unauthorized directory listings until a patch is available.

Name of the Vulnerable Software and Affected Versions: MiniCMS version 1.10 Description: The issue in MiniCMS allows for full path disclosure through a modified `id` field in the `mc-admin/post-edit.php` file. Recommendations: For MiniCMS version 1.10, update the `mc-admin/post-edit.php` file to properly validate and sanitize the `id` field to prevent full path disclosure. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: WUZHI CMS version 4.1.0 Description: An issue was discovered in the content-management feature, which has Stored XSS via the `title` or `content` section. Recommendations: For WUZHI CMS version 4.1.0, update to a newer version that contains a fix for this issue, if available. As a temporary workaround, consider restricting user input in the `title` and `content` sections to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: WUZHI CMS version 4.1.0 Description: An issue was discovered in the "Extension Module -> System Announcement" feature, which has Stored XSS via an announcement. Recommendations: For WUZHI CMS version 4.1.0, consider disabling the "Extension Module -> System Announcement" feature until a patch is available to prevent exploitation of the Stored XSS issue.