CVE-2023-43340

MEDIUM

evolution_cms 3.2.3 - Cross-Site Scripting via cmsadmin, cmsadminemail, cmspassword, and cmspasswordconfirm Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-43340. PoCs published by sromanhu.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2023-43340, a reflected XSS vulnerability in Evolution CMS v3.2.3. It includes a proof-of-concept payload and screenshots demonstrating the exploitation of the vulnerability during the installation process.

Description

Cross-site scripting (XSS) vulnerability in evolution v.3.2.3 allows a local attacker to execute arbitrary code via a crafted payload injected into the cmsadmin, cmsadminemail, cmspassword and cmspasswordconfim parameters

Exploits (1)

nomisec WRITEUP
by sromanhu · poc
https://github.com/sromanhu/-CVE-2023-43340-Evolution-Reflected-XSS---Installation-Admin-Options

This repository provides a detailed technical analysis of CVE-2023-43340, a reflected XSS vulnerability in Evolution CMS v3.2.3. It includes a proof-of-concept payload and screenshots demonstrating the exploitation of the vulnerability during the installation process.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Evolution CMS v3.2.3
No auth needed
Prerequisites: Access to the Evolution CMS installation process
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 5.2
EPSS 0.0112
EPSS Percentile 78.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
evo/evolution_cms 3.2.3
evolutioncms/evolution 0Packagist
Published Oct 19, 2023
Tracked Since Feb 18, 2026