CVE-2023-46378
Description
Stored Cross Site Scripting (XSS) vulnerability in MiniCMS 1.1.1 allows attackers to run arbitrary code via crafted string appended to /mc-admin/conf.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS vulnerability in MiniCMS 1.1.1 allows attackers to inject arbitrary JavaScript via crafted string appended to /mc-admin/conf.php.
Vulnerability
Stored Cross-Site Scripting (XSS) vulnerability exists in MiniCMS version 1.1.1. The flaw is located in the /mc-admin/conf.php endpoint, where a crafted string appended to the URL is stored and later executed in the context of the admin panel. No authentication or special configuration is required to trigger the stored payload. [1]
Exploitation
An attacker can send a crafted request to /mc-admin/conf.php with a malicious JavaScript payload appended as a parameter. The payload is stored on the server and executed when an administrator views the affected page. No user interaction beyond normal admin browsing is required. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the MiniCMS admin panel. This can lead to session hijacking, defacement, or theft of sensitive data. The attacker gains the ability to perform actions as the admin user. [1]
Mitigation
As of the publication date (2023-10-31), no official patch has been released for MiniCMS 1.1.1. Users should consider upgrading to a newer version if available, or implement input sanitization and output encoding for the conf.php endpoint. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
News mentions
0No linked articles in our index yet.