You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are multiple reflective XSS vulnerabilities was found in Maccms v10 v2024.1000.3000. The vulnerability allows arbitrary HTML/javascript code to be executed, potentially resulting in the theft of administrator cookies.
Details
We learn that in the 026a289, The manufacturer has added the htmlspecialchars function and the mac_filter_xss method to all the variables mentioned in CVE-2022-26573.
However, we found that {$param.input} is not filtered in the parent-onselectresult front-end function for some files.
Because {$param.input} is referenced directly, there are three reflective XSS vulnerabilities. It is worth noting that although the newly discovered vulnerability is the same as the parameter name indicated by CVE-2022-26573, the occurrence point is different.
Summary
There are multiple reflective XSS vulnerabilities was found in Maccms v10 v2024.1000.3000. The vulnerability allows arbitrary HTML/javascript code to be executed, potentially resulting in the theft of administrator cookies.
Details
We learn that in the 026a289, The manufacturer has added the htmlspecialchars function and the mac_filter_xss method to all the variables mentioned in CVE-2022-26573.
However, we found that {$param.input} is not filtered in the parent-onselectresult front-end function for some files.
Because {$param.input} is referenced directly, there are three reflective XSS vulnerabilities.
It is worth noting that although the newly discovered vulnerability is the same as the parameter name indicated by CVE-2022-26573, the occurrence point is different.
Proof of Concept (POC)
The text was updated successfully, but these errors were encountered: