CVE-2018-8078

MEDIUM

YzmCMS 3.7 - Stored Cross-Site Scripting via Advertisement Title Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-8078. PoCs published by Jx0n0.

AI-analyzed exploit summary This repository documents a stored XSS vulnerability in YZMCMS v3.7, specifically in the advertisement management module. The writeup details how the 'title' parameter is not properly sanitized, allowing arbitrary JavaScript execution when rendered in the admin interface.

Description

YzmCMS 3.7 has Stored XSS via the title parameter to advertisement/adver/edit.html.

Exploits (1)

nomisec WRITEUP 7 stars
by Jx0n0 · poc
https://github.com/Jx0n0/YZMCMSxss

This repository documents a stored XSS vulnerability in YZMCMS v3.7, specifically in the advertisement management module. The writeup details how the 'title' parameter is not properly sanitized, allowing arbitrary JavaScript execution when rendered in the admin interface.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: YZMCMS v3.7
Auth required
Prerequisites: Access to the YZMCMS admin panel · Valid session credentials
MITRE ATT&CK
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 5.4
EPSS 0.0083
EPSS Percentile 53.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
yzmcms/yzmcms 3.7
Published Mar 13, 2018
Tracked Since Feb 18, 2026