CVE-2023-41425

Name of the Vulnerable Software and Affected Versions Wonder CMS versions 3.2.0 through 3.4.2

Description The issue is related to a Cross Site Scripting vulnerability that allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component. This vulnerability can lead to code execution and potentially other security issues. The estimated number of potentially affected devices is not specified. There have been real-world incidents where this issue was exploited, including a scenario where an attacker used it to gain access to a system and exfiltrate database credentials.

Recommendations For Wonder CMS versions 3.2.0 through 3.4.2, consider disabling the installModule component until a patch is available to prevent exploitation. Restrict access to this component to minimize the risk of arbitrary code execution. Avoid using the installModule component for uploading scripts until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.