CVE-2019-11398

MEDIUM

UliCMS 2019.1-2019.2 - Cross-Site Scripting via Admin Index Parameters

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2019-11398. PoCs published by Unk9vvN, Kağan EĞLENCE.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in UliCMS 2019.1 by injecting malicious JavaScript payloads into the 'name' and 'systemname' parameters via POST requests to the admin panel.

Description

Multiple cross-site scripting (XSS) vulnerabilities in UliCMS 2019.2 and 2019.1 allow remote attackers to inject arbitrary web script or HTML via the go parameter to admin/index.php, the go parameter to /admin/index.php?register=register, or the error parameter to admin/index.php?action=favicon.

Exploits (2)

exploitdb WORKING POC

by Unk9vvN · textwebappsphp

https://www.exploit-db.com/exploits/46977

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in UliCMS 2019.1 by injecting malicious JavaScript payloads into the 'name' and 'systemname' parameters via POST requests to the admin panel.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: UliCMS 2019.1

Auth required

Prerequisites: Access to the admin panel · Valid session cookie

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Kağan EĞLENCE · textwebappsphp

https://www.exploit-db.com/exploits/46741

View Code ZIP pw:eip

The exploit demonstrates multiple XSS vulnerabilities in UliCMS versions 2019.1 and 2019.2. It includes payloads for three distinct vulnerabilities, two of which are unauthenticated and one requiring authentication.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: UliCMS 2019.1, 2019.2

No auth needed

Prerequisites: Access to the target UliCMS instance

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_misc

https://en.ulicms.de/

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/46741/

Exploit, Third Party Advisory x_refsource_misc

http://packetstormsecurity.com/files/153219/UliCMS-2019.1-Cross-Site-Scripting.html

Scores

CVSS v3 6.1

EPSS 0.0347

EPSS Percentile 87.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

ulicms/ulicms 2019.1

ulicms/ulicms 2019.2

Published May 08, 2019

Tracked Since Feb 18, 2026