Primary

Context

MRCMS Cross-Site Scripting Vulnerability in File Upload Component

Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in MRCMS version 3.1.2. The issue resides in the file upload function of the FileController component, specifically within the /admin/file/upload.do interface. The vulnerability arises from improper handling of the 'path' parameter, which allows attackers to inject malicious JavaScript that could be executed in the context of the user’s browser, potentially leading to theft of login credentials.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, access the /admin/file/upload.do endpoint and include a crafted 'path' parameter that contains malicious JavaScript, such as a script tag with JavaScript code, such as an alert() function. This can be done by sending a request to the server with the malicious 'path' value.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

7.9

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

7.9

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

MRCMS Cross-Site Scripting Vulnerability in File Upload Component

Vulnerability

Impact

Reproduction

Affected Products

MRCMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating