CVE-2020-25915
Description
Cross Site Scripting (XSS) vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted user_login.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in ThinkCMF 5.1.5 UserController.php allows attackers to inject arbitrary scripts via the user_login parameter.
Vulnerability
Overview
A stored cross-site scripting (XSS) vulnerability exists in ThinkCMF version 5.1.5, specifically in the UserController.php file. The root cause is the use of unsanitized $_POST data directly in database operations. The addPost() and editPost() methods pass the raw $_POST array to insertGetId() and update(), respectively, without filtering or escaping the user_login parameter [2][4]. This allows an attacker to inject malicious HTML/JavaScript code.
Exploitation
An attacker with administrative access to the ThinkCMF backend can exploit this by sending a POST request to /admin/user/addpost.html (or the edit endpoint) with a crafted user_login parameter. The proof-of-concept demonstrates setting user_login to `` [4]. The request does not require any special privileges beyond being able to access the user management section; however, the attacker must be an authenticated administrator. The lack of input sanitization means the payload is stored in the database and executed when an administrator views the user list.
Impact
Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's browser session. This can be used to steal session cookies, perform actions on behalf of the administrator, or deface the admin panel. The vulnerability is classified as stored XSS because the payload persists and affects other users viewing the user management pages [2][4].
Mitigation
The vulnerability was addressed in a commit that replaced direct use of $_POST with $this->request->param() and added proper data handling before database insertion. The commit (27e1fbea) was made to the thinkcmf/thinkcmf repository [3]. Users should update to a version that includes this fix or apply the patch manually. There is no evidence of this CVE being listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
thinkcmf/thinkcmfPackagist | < 5.1.7 | 5.1.7 |
Affected products
3Patches
11 file changed · +25 −25
vendor/thinkcmf/cmf-app/src/admin/controller/UserController.php+25 −25 modified@@ -127,24 +127,24 @@ public function add() public function addPost() { if ($this->request->isPost()) { - if (!empty($_POST['role_id']) && is_array($_POST['role_id'])) { - $role_ids = $_POST['role_id']; - unset($_POST['role_id']); - $result = $this->validate($this->request->param(), 'User'); + $roleIds = $this->request->param('role_id/a'); + if (!empty($roleIds) && is_array($roleIds)) { + $data = $this->request->param(); + $result = $this->validate($data, 'User'); if ($result !== true) { $this->error($result); } else { - $_POST['user_pass'] = cmf_password($_POST['user_pass']); - $result = DB::name('user')->insertGetId($_POST); - if ($result !== false) { + $data['user_pass'] = cmf_password($data['user_pass']); + $userId = DB::name('user')->strict(false)->insertGetId($data); + if ($userId !== false) { //$role_user_model=M("RoleUser"); - foreach ($role_ids as $role_id) { - if (cmf_get_current_admin_id() != 1 && $role_id == 1) { + foreach ($roleIds as $roleId) { + if (cmf_get_current_admin_id() != 1 && $roleId == 1) { $this->error("为了网站的安全,非网站创建者不可创建超级管理员!"); } - Db::name('RoleUser')->insert(["role_id" => $role_id, "user_id" => $result]); + Db::name('RoleUser')->insert(["role_id" => $roleId, "user_id" => $userId]); } - $this->success("添加成功!", url("user/index")); + $this->success("添加成功!", url("User/index")); } else { $this->error("添加失败!"); } @@ -204,29 +204,29 @@ public function edit() public function editPost() { if ($this->request->isPost()) { - if (!empty($_POST['role_id']) && is_array($_POST['role_id'])) { - if (empty($_POST['user_pass'])) { - unset($_POST['user_pass']); + $roleIds = $this->request->param('role_id/a'); + if (!empty($roleIds) && is_array($roleIds)) { + $data = $this->request->param(); + if (empty($data['user_pass'])) { + unset($data['user_pass']); } else { - $_POST['user_pass'] = cmf_password($_POST['user_pass']); + $data['user_pass'] = cmf_password($data['user_pass']); } - $role_ids = $this->request->param('role_id/a'); - unset($_POST['role_id']); - $result = $this->validate($this->request->param(), 'User.edit'); + $result = $this->validate($data, 'User.edit'); if ($result !== true) { // 验证失败 输出错误信息 $this->error($result); } else { - $result = DB::name('user')->update($_POST); + $userId = $this->request->param('id', 0, 'intval'); + $result = DB::name('user')->strict(false)->where('id', $userId)->update($data); if ($result !== false) { - $uid = $this->request->param('id', 0, 'intval'); - DB::name("RoleUser")->where("user_id", $uid)->delete(); - foreach ($role_ids as $role_id) { - if (cmf_get_current_admin_id() != 1 && $role_id == 1) { + DB::name("RoleUser")->where("user_id", $userId)->delete(); + foreach ($roleIds as $roleId) { + if (cmf_get_current_admin_id() != 1 && $roleId == 1) { $this->error("为了网站的安全,非网站创建者不可创建超级管理员!"); } - DB::name("RoleUser")->insert(["role_id" => $role_id, "user_id" => $uid]); + DB::name("RoleUser")->insert(["role_id" => $roleId, "user_id" => $userId]); } $this->success("保存成功!"); } else { @@ -373,4 +373,4 @@ public function cancelBan() $this->error('数据传入失败!'); } } -} \ No newline at end of file +}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.