CVE-2023-43962

Vulnerability

Overview

CVE-2023-43962 is a stored cross-site scripting (XSS) vulnerability in Xunrui CMS Public Edition v4.6.1. The flaw resides in the project name field within the project settings tab of the administrative backend. User-supplied input is not properly sanitized before being stored and later rendered, allowing an attacker to inject arbitrary HTML or JavaScript code.

Exploitation

Details

Exploitation requires prior authentication to the CMS management backend. An attacker can craft a POST request to the site_config endpoint, modifying the SITE_NAME parameter to include malicious payloads such as `` or an external image request. The payload is then stored and executed whenever the project settings page is viewed by any administrator, including the attacker or other users with access [1].

Impact

Successful exploitation enables an authenticated attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive data accessible through the admin interface. The CVSS v3 score of 4.8 reflects the medium severity due to the requirement of authentication and the need for user interaction (viewing the affected page).

Mitigation

Status

As of the publication date (2024-12-09), no official patch has been released by the vendor. Users are advised to restrict access to the admin panel, apply strict input validation and output encoding, and monitor for any updates from Xunrui CMS. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities catalog.