GouguCMS Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in GouguCMS version 4.08.18. This issue resides in the Record Endpoint, specifically within the file \gougucms-master\app\admin\view\user\record.html. The vulnerability allows low-privileged users to inject malicious scripts into the 'value.content' argument, which are then executed when an administrator accesses the activity logs or records in the backend dashboard. This exploitation could lead to the theft of administrative session cookies or unauthorized actions performed with administrative privileges.

Impact

Successful exploitation allows for blind cross-site scripting, where injected scripts are executed in the context of an administrator's session, potentially leading to session hijacking or unauthorized administrative actions.

Reproduction

To reproduce this vulnerability, a low-privileged user must inject a script payload, such as a JavaScript alert, into a form that submits to the Record Endpoint. Once the payload is stored in the database, an administrator must view the records, triggering the execution of the injected script.