Headline
CVE-2023-46504: YXBOOKCMS Stored XSS · Issue #1 · PwnCYN/YXBOOKCMS
Cross Site Scripting (XSS) vulnerability in PwnCYN YXBOOKCMS v.1.0.2 allows a physically proximate attacker to execute arbitrary code via the library name function in the general settings component.
Product Name:
YXBOOKCMS
Affect version:
1.0.2
Case Address:
https://down.chinaz.com/soft/37726.htm (Program download address)
https://www.ys-bs.com/ (The website address has been hacked)
Vulnerability Type:
Stored XSS
Description:
The library name can be modified in the general settings section of the backend homepage.
Due to the lack of filtering of input user content in the code, executable JavaScript code can be executed. As the modified part is the website title, the code will be triggered every time it is accessed, resulting in a storage based XSS vulnerability.
An attacker can write XSS statements to obtain user information (cookies, etc.) that visits the website.