Primary

Context

CSZ CMS HTML Injection Vulnerability in Member Messaging System

Vulnerability

A HTML injection vulnerability has been identified in CSZ CMS version 1.2.7. This vulnerability allows authenticated users to inject malicious hyperlinks into message titles. Exploitation involves sending crafted POST requests through the member messaging system, which could be used for phishing or social engineering attacks.

Impact

Exploitation of this vulnerability could lead to HTML injection, allowing for the insertion of malicious links that could be used in phishing or social engineering attacks.

Reproduction

To reproduce this vulnerability, an authenticated user can send a POST request to the '/member/insertpm/' endpoint. The request must include a 'title' parameter containing the injected HTML link, along with a 'message' parameter. This can be done using a tool like Burp Suite or Postman.

Remediation

Users are advised to upgrade to CSZ CMS version 1.3.2, which addresses this vulnerability.

Added: Dec 23, 2025, 8:20 PM

Updated: Dec 23, 2025, 8:20 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

6.5

remediation

0.0

relevance

1.7

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

6.5

remediation

0.0

relevance

1.7

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

CSZ CMS HTML Injection Vulnerability in Member Messaging System

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CSZ CMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating