In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/1.4.3.3/php/controller.php action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.
References
Link | Resource |
---|---|
https://github.com/yzmcms/yzmcms/issues/45 | Exploit Third Party Advisory |
Configurations
Information
Published : 2021-05-10 16:15
Updated : 2021-05-13 13:32
NVD link : CVE-2020-23370
Mitre link : CVE-2020-23370
JSON object : View
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Products Affected
yzmcms
- yzmcms