Juzaweb CMS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Juzaweb CMS version 5.0.0. This issue allows an authenticated administrator to inject arbitrary JavaScript into the 'Add Banner Ads' function. The injected script is executed in the browser of any user who visits the homepage, including those who are not logged in.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the homepage.

Reproduction

To reproduce this vulnerability, log into the Juzaweb CMS admin panel as an administrator. Navigate to the 'Banner Ads' section and select 'Add Banner'. Change the 'Type' to 'HTML' and insert a script payload, such as a script tag containing JavaScript code, into the 'Body' field. After submitting the banner ad, the injected script will execute when the homepage is accessed.