CVE-2022-40849

Name of the Vulnerable Software and Affected Versions ThinkCMF version 6.0.7

Description The issue allows an attacker to inject a Persistent XSS payload in the Slideshow Management section, executing arbitrary JavaScript code on the client side. This could be used to steal the administrator's PHP session token, specifically the PHPSESSID.

Recommendations For ThinkCMF version 6.0.7, consider disabling the Slideshow Management section until a patch is available to prevent the injection of malicious JavaScript code. Restrict access to this section to minimize the risk of exploitation. Avoid using the Slideshow Management feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.