HkCms Cross-Site Scripting Vulnerability in Search Component

A cross-site scripting (XSS) vulnerability has been identified in HkCms versions up to 2.3.2.240702. The issue resides in the Search component, specifically within the file '/index.php/search/index.html'. The vulnerability is triggered by manipulating the 'keyword' argument, which allows for the injection of malicious scripts. This vulnerability can be exploited remotely and does not require authentication, although it does involve some user interaction.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser. This could lead to the leakage of administrator cookies, potentially allowing for session hijacking.

Reproduction

To reproduce this vulnerability, send a request to '/index.php/search/index.html' with a crafted 'keyword' argument that includes the desired script payload. The injected script will be executed in the context of the user's browser, demonstrating the cross-site scripting vulnerability.