CVE-2018-18726

Vulnerability

YUNUCMS version 1.1.5 contains a stored cross-site scripting (XSS) vulnerability in the admin interface at /admin/sitelink/editsitelink?id=16. The flaw allows an authenticated administrator to inject arbitrary web script or HTML via the sitelink editing form, which is then stored and executed when the page is loaded [1].

Exploitation

To exploit the vulnerability, an attacker must have valid administrator credentials and be able to access the admin panel. The attacker navigates to the edit sitelink page for id=16, inserts malicious payload such as `` into an input field, and submits the form. When any administrator views the affected sitelink page, the stored script executes in their browser [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the admin session. This can lead to session hijacking, defacement, or theft of sensitive information displayed in the admin interface. The attack is stored and persistent, affecting all users who visit the compromised page [1].

Mitigation

As of the publication date (2018-10-28), no official patch has been released for YUNUCMS 1.1.5. Users should upgrade to a later version of YUNUCMS if available, or restrict access to the admin panel and avoid using the sitelink editor with untrusted input. The vendor has been notified via the GitHub issue tracker [1].