ZZCMS 2025 Cross-Site Scripting Vulnerability in URL Handler Component

A cross-site scripting (XSS) vulnerability has been identified in ZZCMS version 2025. The issue arises in the URL Handler component, specifically within the file '/3/ucenter_api/code/register_nodb.php'. The vulnerability is triggered by manipulating the '$_SERVER['PHP_SELF']' variable, which is then outputted without proper sanitization. This flaw allows remote attackers to inject malicious scripts that could be executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute scripts in the context of the user's session.

Reproduction

To reproduce this vulnerability, send a request to the 'register_nodb.php' file with a crafted '$_SERVER['PHP_SELF']' value that includes a script tag. This can be done by appending the script payload to the URL, which will be executed once the page is loaded.