YiFang CMS Cross-Site Scripting Vulnerability in Single Page Group Management
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in YiFang CMS version 2.0.5. The issue resides in the 'name' parameter of the 'D_singlePageGroup.php' file within the admin interface. This vulnerability is classified as stored XSS, as the 'name' parameter is saved in the database without proper sanitization. An attacker can exploit this by injecting a malicious script, which is executed when the single-page category list is accessed.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.
Reproduction
To reproduce this vulnerability, log into the admin panel of a YiFang CMS 2.0.5 installation. Navigate to the 'singlePageGroup' management interface. Use the 'update' function to submit a 'name' parameter containing a script, such as an SVG tag with an 'onload' event. Once submitted, the injected script will execute when the category list is accessed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.