Westboy CicadasCMS Cross-Site Scripting Vulnerability in Category Save Function
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in Westboy CicadasCMS version 1.0. The issue arises in the category save functionality, where the categoryName parameter is not properly sanitized before being output, allowing for the injection of malicious scripts. This vulnerability can be exploited remotely and requires user interaction.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser. This could lead to session hijacking, theft of sensitive information such as cookies, or manipulation of page content.
Reproduction
To reproduce this vulnerability, send a POST request to the /system/cms/category/save endpoint. Include a crafted categoryName parameter that contains malicious script content. The response will confirm the successful addition of the category, indicating that the injected script has been executed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.