weison-tech/yii2-rbac is vulnerable to cross-site scripting (XSS). The attack is possible because it does not sanitize a name filed to /contact.html
via protected\core\modules\home\models\Contact.php
, allowing an attacker to inject arbitrary script through it.
CPE | Name | Operator | Version |
---|---|---|---|
weison-tech/yii2-cms | le | 1.0.2 |