Headline
CVE-2022-38527: UCMS-v1.6/UCMS_v1.6.0 XSS.md at gh-pages · Zoe0427/UCMS-v1.6
UCMS v1.6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Import function under the Site Management page.
**UCMS_v1.6.0 has a vulnerability, stored cross-site scripting (XSS)******vendor: http://uuu.la/****
Download link for UCMS-1.6 installation package: http://uuu.la/uploadfile/file/ucms_1.6.zip
1.Enter the background and click site management,Next, click Import column。
2.Configure parameters according to the picture. Click Submit after configuration
3.Continue, click OK to import
4.Next. Add after the column name:
666<script>alert(document.cookie)</script>
5.Check the submitted content, successfully trigger XSS attack code, pop-up cookie sensitive information
6.Any user visiting the home page will pop up. If he has logged in, the cookie value will be directly disclosed