CVE-2020-37222

HIGH

Kuicms Php EE 2.0 Persistent Cross-Site Scripting via bbs reply

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-37222. PoCs published by China Banking and Insurance Information Technology Management Co..

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in Kuicms Php EE 2.0 by injecting malicious JavaScript via a crafted POST request to the reply endpoint. The payload is embedded in the 'content' parameter and executed when rendered in the BBS module.

Description

Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply endpoint. Attackers can send POST requests to /web/?c=bbs&a=reply with HTML and JavaScript payloads in the content parameter to execute arbitrary scripts in users' browsers.

Exploits (1)

exploitdb WORKING POC
by China Banking and Insurance Information Technology Management Co. · textwebappsphp
https://www.exploit-db.com/exploits/48526

This exploit demonstrates a persistent XSS vulnerability in Kuicms Php EE 2.0 by injecting malicious JavaScript via a crafted POST request to the reply endpoint. The payload is embedded in the 'content' parameter and executed when rendered in the BBS module.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Kuicms Php EE 2.0
Auth required
Prerequisites: Valid session cookie (PHPSESSID) · Access to the BBS reply functionality
devstral-2 · analyzed May 13, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit exploit
ExploitDB-48526
https://www.exploit-db.com/exploits/48526
Product product
Official Product Homepage
https://kuicms.com
Product product
Product Reference
https://kuicms.com/kuicms.zip
Third Party Advisory third-party-advisory
VulnCheck Advisory: Kuicms Php EE 2.0 Persistent Cross-Site Scripting via bbs reply
https://www.vulncheck.com/advisories/kuicms-php-ee-persistent-cross-site-scripting-via-bbs-reply

Scores

CVSS v3 7.2
EPSS 0.0031
EPSS Percentile 22.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Kuicms/Kuicms Php EE 2.0
Published May 13, 2026
Tracked Since May 13, 2026