CVE-2024-43006

Name of the Vulnerable Software and Affected Versions ZZCMS2023 (affected versions not specified)

Description A stored cross-site scripting (XSS) issue exists in the ask/show.php file at line 21. An attacker can exploit this by sending a specially crafted POST request to "/user/ask edit.php?action=add", which includes malicious JavaScript code in the content parameter. When a user visits the "ask/show {newsid}.html" page, the injected script is executed in the context of the user's browser, potentially leading to theft of cookies, session tokens, or other sensitive information.

Recommendations As a temporary workaround, consider disabling the ask/show.php file or restricting access to the "/user/ask edit.php?action=add" endpoint until a patch is available. Avoid using the content parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.