CVE-2018-9993

Vulnerability

YUNUCMS 1.0.7 contains a stored cross-site scripting (XSS) vulnerability in the content title parameter on the admin news center page (admin/content/addcontent/cid/##). The application fails to sanitize user input before storing it, allowing arbitrary HTML and JavaScript to be injected. Affected version is 1.0.7 [1].

Exploitation

An attacker must have valid admin credentials to access the admin panel. The attacker navigates to the add content page, sets the content title to a payload such as <svg/onload=alert(0)>, and saves the content. The payload is stored and executed when the content list or the show page (index/show/index?id=38) is viewed [1].

Impact

Successful exploitation allows execution of arbitrary JavaScript in the context of the admin's browser. This can lead to session hijacking, defacement, or other client-side attacks. The attacker does not gain direct server-side access but can perform actions on behalf of the authenticated admin.

Mitigation

No official fix is documented in the available reference [1]. Users should upgrade to a later version of YUNUCMS if a patched release exists, or apply input sanitization and output encoding to the content title field. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.