CVE-2024-43006

MEDIUM

ZZCMS2023 - Stored Cross-Site Scripting in ask/show.php via Content Parameter

Title source: llm
STIX 2.1

Description

A stored cross-site scripting (XSS) vulnerability exists in ZZCMS2023 in the ask/show.php file at line 21. An attacker can exploit this vulnerability by sending a specially crafted POST request to /user/ask_edit.php?action=add, which includes malicious JavaScript code in the 'content' parameter. When a user visits the ask/show_{newsid}.html page, the injected script is executed in the context of the user's browser, leading to potential theft of cookies, session tokens, or other sensitive information.

Scores

CVSS v3 5.4
EPSS 0.0023
EPSS Percentile 13.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
zzcms/zzcms 2023
Published Aug 16, 2024
Tracked Since Feb 18, 2026