liuwy-dlsdys zhglxt HTTP POST Request edit cross site scripting
Description
A stored cross-site scripting (XSS) vulnerability in liuwy-dlsdys zhglxt 4.7.7 allows remote attackers to inject arbitrary JavaScript via the notifyTitle parameter in the /oa/notify/edit endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored cross-site scripting (XSS) vulnerability in liuwy-dlsdys zhglxt 4.7.7 allows remote attackers to inject arbitrary JavaScript via the notifyTitle parameter in the /oa/notify/edit endpoint.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in liuwy-dlsdys zhglxt version 4.7.7. The issue affects the /oa/notify/edit endpoint, where the HTTP POST request handler processes the notifyTitle parameter without proper sanitization. The software fails to encode or validate user-controlled input before storing it, allowing injection of arbitrary HTML and JavaScript [1].
Exploitation
An attacker must first authenticate to the zhglxt application with administrative privileges (default credentials system/system are commonly used) [1]. After login, the attacker navigates to the announcement management menu and clicks the add button. In the notifyTitle field of the POST request to /zhglxt/oa/notify/edit, the attacker inserts a payload such as ``. Upon saving, the payload is stored in the system. The injected script executes in the browser of any user who subsequently uses the search functionality [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session cookie theft, sensitive information disclosure, or further actions limited to the scope of a stored XSS attack. The attack requires administrative login, but any user triggering the search action is affected [1].
Mitigation
As of the publication date (2024-01-19), no official patch or fixed version has been released. Users should sanitize the notifyTitle input by escaping HTML entities on both input and output. Upgrading the application to a future patched version is advised once available [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: v4.6.2, v4.7.1, v4.7.2, …
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Stored cross-site scripting due to insufficient sanitization of the notifyTitle parameter in the HTTP POST request handler."
Attack vector
An attacker with admin access logs into the zhglxt application at /zhglxt/login using default credentials (system/system) [ref_id=1]. They navigate to the announcement management menu, click the add button, and inject a JavaScript payload (e.g., <script>alert(document.cookie)</script>) into the notifyTitle parameter of the POST /zhglxt/oa/notify/edit request [ref_id=1]. The payload is stored on the server and triggers when any user performs a search operation, executing in the context of the victim's browser session [ref_id=1].
Affected code
The vulnerable endpoint is POST /zhglxt/oa/notify/edit, which processes the notifyTitle form-data parameter [ref_id=1]. The specific source file within the zhglxt codebase is not identified in the advisory.
What the fix does
No patch is provided in the bundle. The advisory does not include a fix or remediation guidance from the vendor. To close this vulnerability, the application should sanitize or encode the notifyTitle input on the server side before storing it, and/or apply output encoding when rendering the value in the browser.
Preconditions
- authAttacker must have valid admin credentials (default: system/system)
- networkAttacker must be able to reach the zhglxt web application over the network
- configThe application must be running zhglxt version 4.7.7
Reproduction
1. Log in to http://localhost:9898/zhglxt/login with username system and password system. 2. Navigate to the announcement management menu and click the add button. 3. In the notifyTitle field, enter the payload: <script>alert(document.cookie)</script>. 4. Click Save. 5. The payload triggers when a user clicks the search button [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/biantaibao/zhglxt_xss/blob/main/xss.mdmitreexploit
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.