JiZhiCMS Stored Cross-Site Scripting Vulnerability

Vulnerability

A stored cross-site scripting vulnerability has been identified in JiZhiCMS versions through 2.5.6. The issue resides in the release function of the UserController, where the application inadequately sanitizes input. While it filters out script tags, it fails to remove harmful event handler attributes from other HTML elements, such as the onerror attribute in image tags. This oversight enables authenticated remote attackers to inject arbitrary web scripts or HTML by exploiting the body parameter in a POST request to /user/release.html.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser. This could lead to session theft or abuse of privileges, depending on the victim's user rights.

Added: Mar 24, 2026, 4:37 PM

Updated: Mar 24, 2026, 4:37 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

5.2

remediation

0.0

relevance

4.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

1.7

exploitability

5.2

remediation

0.0

relevance

4.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

JiZhiCMS Stored Cross-Site Scripting Vulnerability

Vulnerability

Impact

Affected Products

JiZhiCMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating