JIZHICMS Cross-Site Scripting Vulnerability in Comment Handler

A cross-site scripting (XSS) vulnerability has been identified in JIZHICMS versions through 2.5.5. The issue resides in the Comment Handler component, specifically within the file '/index.php/admins/Comment/addcomment.html'. The vulnerability is triggered by manipulating the 'body' argument, allowing for the injection of malicious scripts. This vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, navigate to the 'Interactive Management' section and select 'Comment List'. Click on 'Add Comment' to access the comment submission form. Once the form is open, intercept the request using a web application proxy. In the request body, insert a payload that includes a script, such as an image tag with an 'onerror' event. After submitting the comment, the injected script will be executed when the comment is viewed, demonstrating the successful exploitation of the XSS vulnerability.