Godmarlin

**Name of the Vulnerable Software and Affected Versions** DuxCMS version 2.1 **Description** A Cross Site Request Forgery (CSRF) issue in the admin.php file of DuxCMS allows remote attackers to modify application data via the "article/admin/content/add" endpoint. This can be exploited by tricking administrators into performing unintended actions. **Recommendations** For DuxCMS version 2.1, consider implementing CSRF token validation to prevent unauthorized requests. As a temporary workaround, restrict access to the admin.php file and the "article/admin/content/add" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DuxCMS version 2.1 **Description** A Cross Site Scripting (XSS) issue allows remote attackers to run arbitrary code via the `content`, `time`, `copyfrom` parameters when adding or editing a post. This enables attackers to execute malicious scripts on the victim's browser, potentially leading to unauthorized actions. **Recommendations** For DuxCMS version 2.1, as a temporary workaround, consider restricting access to the post addition and editing functionality until a patch is available. Avoid using the `content`, `time`, `copyfrom` parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** annyshow DuxCMS version 2.1 **Description** A vulnerability was found in the file admin.php&r=article/AdminContent/edit of the component Article Handler. The manipulation of the `content` argument leads to cross-site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For annyshow DuxCMS version 2.1, as a temporary workaround, consider restricting access to the `admin.php&r=article/AdminContent/edit` endpoint until a patch is available. Avoid using the `content` argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** annyshow DuxCMS version 2.1 **Description** A problem has been identified that leads to cross-site request forgery. The issue can be exploited remotely. **Recommendations** For annyshow DuxCMS version 2.1, at the moment, there is no information about a newer version that contains a fix for this issue.