In YzmCMS 5.6, Stored XSS exists via the common/static/plugin/ueditor/1.4.3.3/php/controller.php action parameter, which allows remote attackers to upload a swf file. The swf file can be injected arbitrary web script or HTML.
PoC
In yzmcms\common\static\plugin\ueditor\1.4.3.3\php\config.json, when the value of action parameter is 'uploadvideo' or 'uploadfile', it allows remote user to upload a swf file:
Description
In YzmCMS 5.6, Stored XSS exists via the common/static/plugin/ueditor/1.4.3.3/php/controller.php action parameter, which allows remote attackers to upload a swf file. The swf file can be injected arbitrary web script or HTML.
PoC
In yzmcms\common\static\plugin\ueditor\1.4.3.3\php\config.json, when the value of action parameter is 'uploadvideo' or 'uploadfile', it allows remote user to upload a swf file:
So I write and compile an evil swf file whose source code is as follows:
Then I upload the swf file through common/static/plugin/ueditor/1.4.3.3/php/controller.php without login:
When background administrator previews this attachment, it will cause XSS attack:
The text was updated successfully, but these errors were encountered: