Headline
CVE-2021-40910: Multiple reflective XSS vulnerabilities on the management side · Issue #I493K8 · Snow/phpcms - Gitee.com
There is a reflective cross-site scripting (XSS) vulnerability in the PHPCMS V9.6.3 management side.
Directly “echo” the GET parameters in multiple template files, so that the filtering in the system is ineffective, resulting in XSS vulnerabilities.
phpcms/modules/admin/templates/ip_search_list.tpl.php
payload:
http://host-web/index.php?m=admin&c=ipbanned&a=search_ip&search[ip]=11111%%27&dosubmit=%E6%90%9C%E7%B4%A2&pc_hash=iOuPFL&menuid=%22%3E%3Cimg%20src=x%20onerror=alert(1)%3E
Many template files in the project code have this problem.
phpcms/modules/admin/templates/log_list.tpl.php
phpcms/modules/admin/templates/setting.tpl.php
and many more
It is recommended to add a way to pass parameters to the template file instead of directly obtaining these parameters such as GET or POST.