YouDianCMS Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in YouDianCMS version 9.5.21. The issue arises in the file '/App/Tpl/Admin/Default/Log/index.html', where the application fails to properly sanitize user input from the 'UserName' and 'LogType' parameters. This lack of security filtering allows attackers to inject malicious JavaScript, which is then executed in the context of the user's browser. The vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the victim's browser.

Reproduction

To reproduce this vulnerability, log into the YouDianCMS admin panel and navigate to the log management section. Once there, send a request to the 'index.php/Admin/log/index' endpoint with either the 'UserName' or 'LogType' parameter containing the injected script, such as a JavaScript alert. The server will return the injected script in the response, which will be executed in the browser.