CVE-2018-17077

Vulnerability

The comment title field in yiqicms (through 2016-11-20) is vulnerable to stored cross-site scripting (XSS). The comment.php script applies a length check via regex /^.{1,30}$/ on the $msgtitle parameter but does not sanitize the input. The length limit can be bypassed by splitting a malicious payload across multiple comments using /**/ as a concatenation marker [1]. Affected versions: all versions up to the last commit on 2016-11-20.

Exploitation

An attacker can submit two comments with titles that together form a valid JavaScript payload. For example, the first title contains `. The /**/` comment syntax in JavaScript allows the two parts to be concatenated when the titles are displayed sequentially [1]. No authentication is required to submit comments, but the XSS triggers only when an administrator views the comments in the backend.

Impact

Successful exploitation results in stored XSS that executes in the context of the admin panel. An attacker can perform actions such as stealing session cookies, defacing the admin interface, or executing arbitrary JavaScript with the privileges of the logged-in administrator. The impact is limited to the admin session but can lead to full compromise of the application if the admin performs sensitive actions.

Mitigation

No official patch has been released as the project appears abandoned (last commit 2016-11-20). The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. As a workaround, administrators should avoid viewing comments from untrusted users, or implement server-side sanitization of the title field using htmlspecialchars() or similar. Alternatively, disable the comment functionality if not required.