CVE-2018-14512

Vulnerability

A persistent cross-site scripting (XSS) vulnerability exists in WUZHI CMS version 4.1.0. The flaw resides in the mail server configuration endpoint at index.php?m=core&f=set&v=sendmail. An attacker can inject arbitrary web script or HTML through the form[nickname] parameter, which is stored and later executed when an administrator accesses the "system settings - mail server" page. The vulnerability requires the attacker to have the ability to submit a crafted POST request to the vulnerable URI [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted POST request to index.php?m=core&f=set&v=sendmail with a malicious payload in the form[nickname] field. No authentication or special privileges are required to submit the request; the payload is stored in the system and automatically rendered when an administrator visits the mail server settings page. The proof of concept uses a <details/open/ontoggle=eval(...)> tag to trigger JavaScript execution on the admin's browser without any user interaction beyond the admin viewing the page [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the administrator's session. This can lead to theft of session cookies, defacement, redirection to malicious sites, or other actions that compromise the confidentiality, integrity, and availability of the CMS admin interface. Since the admin panel often has elevated privileges, the impact may extend to full control of the application [1].

Mitigation

As of the publication date, no fix or patched version has been released for WUZHI CMS 4.1.0. Users are advised to restrict access to the mail server settings page to trusted administrators only and to sanitize all user-supplied input, especially parameters used in administrative functions. Monitoring the official repository for a security update is recommended [1].