CVE-2019-9016

Name of the Vulnerable Software and Affected Versions MOPCMS versions through 2018-11-30

Description A persistent XSS issue allows remote attackers to inject arbitrary web script or HTML via the form[name] parameter in a mod=column request. This can be demonstrated by the "/mopcms/X0AZgf(index).php?mod=column&ac=list&menuid=28&ac=add&menuid=29" URI.

Recommendations For MOPCMS versions through 2018-11-30, avoid using the form[name] parameter in the mod=column request until the issue is resolved. As a temporary workaround, consider restricting access to the mod=column endpoint to minimize the risk of exploitation.