CVE-2018-14686

Vulnerability

XYCMS 1.7 contains a stored cross-site scripting (XSS) vulnerability in system/edit_book.php. The issue arises from insufficient sanitization of input passed through add_do.php when adding a book via add_book.php. A crafted request to add_do.php can inject malicious JavaScript that is stored and later executed when the book is edited in edit_book.php. This affects XYCMS version 1.7 [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted HTTP request to add_do.php with a malicious payload in one of the book fields (e.g., book name or description). No authentication is required if the add book functionality is publicly accessible; otherwise, the attacker needs a valid user account with permission to add books. The injected script is stored in the database and executed in the browser of any user who subsequently visits edit_book.php to edit that book [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement of the admin interface, theft of sensitive data, or further attacks against other users. The impact is limited to the browser session and does not directly compromise the server [1].

Mitigation

As of the publication date (2018-07-28), no official patch has been released for XYCMS 1.7. Users should upgrade to a newer version if available, or apply input sanitization and output encoding to all user-supplied data in add_do.php and edit_book.php. Until a fix is applied, restrict access to the book management functionality to trusted users only [1].