CVE-2018-14512

Name of the Vulnerable Software and Affected Versions WUZHI CMS version 4.1.0

Description A persistent XSS issue allows remote attackers to inject arbitrary web script or HTML via the form[nickname] parameter to the "index.php?m=core&f=set&v=sendmail" API endpoint. The XSS payload is triggered when the administrator accesses the system settings - mail server screen.

Recommendations For WUZHI CMS version 4.1.0, avoid using the form[nickname] parameter in the affected API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the system settings - mail server screen to minimize the risk of exploitation.