CVE-2019-5311
Description
An issue was discovered in YUNUCMS V1.1.8. app/index/controller/Show.php has an XSS vulnerability via the index.php/index/show/index cw parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
YUNUCMS V1.1.8 is vulnerable to stored XSS via the `cw` parameter in the Show.php controller.
Vulnerability
YUNUCMS V1.1.8 [1] contains a cross-site scripting (XSS) vulnerability in app/index/controller/Show.php. The index.php/index/show/index endpoint does not properly sanitize the cw parameter before rendering it in the page, allowing an attacker to inject arbitrary HTML or JavaScript.
Exploitation
An attacker can exploit this by crafting a malicious URL that includes a JavaScript payload in the cw parameter. The victim must then visit the crafted URL, or the attacker may embed it in a link on a third-party site to lure the victim. No authentication is required to trigger the vulnerable parameter.
Impact
Successful exploitation allows the attacker to execute arbitrary client-side code in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive information displayed to the user.
Mitigation
As of the referenced advisory [1], no patched version has been released. Users should restrict access to the vulnerable endpoint via a web application firewall (WAF) or input filtering until an official fix is provided.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization on the `cw` parameter in `Show.php` allows reflected cross-site scripting."
Attack vector
An attacker crafts a URL to the `index.php/index/show/index` endpoint with a malicious `cw` parameter containing JavaScript payload. The parameter value is not sanitized, so when the page renders, the injected script executes in the victim's browser. The attacker can deliver the URL via phishing or by embedding it in a page that supports Flash, as noted in the advisory [ref_id=1].
Affected code
The vulnerability exists in `app/index/controller/Show.php` in the `index()` function. The `cw` parameter is passed unfiltered into the application's output, with no sanitization applied before rendering [ref_id=1].
What the fix does
No patch is published in the bundle. The advisory recommends filtering the `cw` parameter in the `index()` function of `Show.php` to prevent unescaped user input from being rendered as HTML/JavaScript [ref_id=1]. A proper fix would apply output encoding or input validation to the `cw` parameter before it reaches the view layer.
Preconditions
- configThe application must be YUNUCMS version 1.1.8
- networkThe attacker must be able to deliver a crafted URL to a victim (e.g., via phishing or embedding in a page)
- inputThe victim's browser must render the page without additional content security protections
Reproduction
Open the following URL in a browser: `http://127.0.0.1/index.php/index/show/index?id=59&cw=YH2001-HE056%E5%8E%82%E5%AE%B6%27%3E%3CsCripT%3Ealert(1)%3C/sCripT%3E%3C%27&id=59`. The JavaScript `alert(1)` will execute, confirming the cross-site scripting vulnerability [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/doublefast/yunucms/issues/5mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.