Redey3

**Name of the Vulnerable Software and Affected Versions** WUZHI CMS version 4.1.0 **Description** A security issue exists where an XSS attack can be performed. The issue is related to the "index.php?m=attachment&f=imagecut&v=init&imgurl=" endpoint, which is connected to the coreframe/app/attachment/imagecut.php file. **Recommendations** For WUZHI CMS version 4.1.0, as a temporary workaround, consider restricting access to the "imagecut" function in the attachment module until a patch is available. Avoid using the "imgurl" parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WUZHI CMS version 4.1.0 **Description** The issue exists due to a cross-site scripting (XSS) flaw. This flaw can be exploited via the `index.php` endpoint, specifically through the `m`, `f`, `v`, `x`, and `y` parameters. The vulnerable endpoint is `/index.php?m=core&f=map&v=baidumap&x=[XSS]&y=[XSS]`, which ultimately affects the `coreframe/app/core/map.php` file. **Recommendations** For WUZHI CMS version 4.1.0, consider restricting access to the `index.php` endpoint with the specified parameters until a patch is available. As a temporary workaround, avoid using the `x` and `y` parameters in the affected API endpoint.

**Name of the Vulnerable Software and Affected Versions** WUZHI CMS version 4.1.0 **Description** A security issue exists where an XSS attack can be performed. The issue is related to the "index.php?m=message&f=message&v=add" endpoint, specifically with the `username` variable. **Recommendations** For WUZHI CMS version 4.1.0, as a temporary workaround, consider validating and sanitizing user input for the `username` variable in the "index.php?m=message&f=message&v=add" endpoint to prevent XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WUZHI CMS version 4.1.0 **Description** A security issue exists where an XSS attack can be performed. The issue is related to the "index.php?m=content&f=postinfo&v=listing&set iframe=" API endpoint, which is connected to the coreframe/app/content/postinfo.php file. **Recommendations** For WUZHI CMS version 4.1.0, as a temporary workaround, consider restricting access to the "index.php?m=content&f=postinfo&v=listing&set iframe=" endpoint until a patch is available. Avoid using the `set iframe` parameter in the affected API endpoint until the issue is resolved.