A vulnerability has been found in phpCMS 9.6.0/9.6.1/9.6.2/9.6.3 and classified as problematic. This vulnerability affects an unknown function of the component Personal Information Screen. The manipulation of the argument mailbox with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. As an impact it is known to affect integrity. CVE summarizes:

PHPCMS 9.6.x through 9.6.3 has XSS via the mailbox (aka E-mail) field on the personal information screen.

The bug was discovered 03/23/2019. The weakness was published 03/25/2019. This vulnerability was named CVE-2019-10027 since 03/24/2019. The attack can be initiated remotely. The successful exploitation requires a single authentication. Successful exploitation requires user interaction by the victim. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1059.007.

The vulnerability was handled as a non-public zero-day exploit for at least 2 days. During that time the estimated underground price was around $0-$5k.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Similar entries are available at VDB-16969, VDB-22136, VDB-23334 and VDB-28881.

Productinfo

Name

• phpCMS

Version

• 9.6.0
• 9.6.1
• 9.6.2
• 9.6.3

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion