CVE-2018-18622

Vulnerability

A cross-site scripting (XSS) vulnerability exists in Waimai Super Cms version 20150505. The flaw resides in the index.php?m=public&a=doregister endpoint, where the username parameter is not properly sanitized before being processed. An attacker can inject arbitrary HTML or JavaScript code via this parameter during user registration. The affected version is 20150505 as disclosed in the official description [1].

Exploitation

Exploitation requires no authentication or special privileges. An attacker can craft a POST request to /w/index.php?m=public&a=doregister with a malicious payload in the username field. For example, the payload ` can be URL-encoded and submitted. The request includes other required fields such as useremail, userpass, reuserpass, verify, and hash` as shown in the reference [1]. The script executes when the payload is rendered by the application, likely when the username is displayed on a page (e.g., admin panel or user list).

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, theft of sensitive information, or further attacks against the application. The attacker does not need any prior access; the victim may be an administrator or regular user who views the injected content.

Mitigation

As of the publication date (2018-10-23), no official patch has been released for Waimai Super Cms 20150505. The software may be unmaintained. Mitigation requires manual input validation and output encoding of the username parameter. Administrators should consider upgrading to a supported fork or implementing a web application firewall (WAF) rule to block XSS payloads in registration fields.