PT-2019-9477 · Wuzhi · Wuzhi Cms

Published

2019-03-07

Updated

2019-03-08

CVE-2018-17426

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions WUZHI CMS version 4.1.0

Description The issue is related to stored XSS, which can be triggered via the Extension module and specifically the SMS in station field. This field is accessible under the index.php?m=core URI, which is an API endpoint. The SMS in station field is a vulnerable parameter that can be exploited.

Recommendations For WUZHI CMS version 4.1.0, as a temporary workaround, consider restricting access to the Extension module and the SMS in station field until a patch is available. Avoid using the SMS in station field in the index.php?m=core URI endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-17426

Affected Products

Wuzhi Cms

PT-2019-9477 · Wuzhi · Wuzhi Cms

CVE-2018-17426

Weakness Enumeration

Related Identifiers

Affected Products

References · 3