CVE-2018-10368 in WUZHI
Summary
by MITRE
An issue was discovered in WUZHI CMS 4.1.0. The "Extension Module -> System Announcement" feature has Stored XSS via an announcement.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 05/05/2025
The vulnerability CVE-2018-10368 represents a critical stored cross-site scripting flaw within WUZHI CMS version 4.1.0, specifically affecting the "Extension Module -> System Announcement" functionality. This issue allows authenticated attackers with permissions to create or modify system announcements to inject malicious JavaScript code that persists in the application's database and executes whenever the announcement is displayed to other users. The vulnerability stems from insufficient input validation and output encoding mechanisms within the announcement module, creating a persistent security risk that can affect all users who view the compromised announcement content.
The technical exploitation of this vulnerability occurs through the manipulation of the announcement submission process where user input is not properly sanitized before being stored in the database. When administrators or authorized users view the announcement page, the malicious script executes within their browser context, potentially enabling attackers to steal session cookies, perform actions on behalf of users, or redirect them to malicious sites. This stored XSS vulnerability falls under CWE-79 which specifically addresses Cross-Site Scripting flaws, and aligns with ATT&CK technique T1531 which covers "Modify System Image" through the execution of malicious code within legitimate user sessions. The vulnerability's persistence makes it particularly dangerous as the malicious payload remains active until manually removed from the database.
The operational impact of CVE-2018-10368 extends beyond simple data theft or defacement, as it can facilitate more sophisticated attacks including credential harvesting, session hijacking, and privilege escalation within the CMS environment. An attacker who successfully exploits this vulnerability could potentially gain administrative access to the CMS, leading to full compromise of the website's backend systems. The vulnerability affects not only the immediate functionality of the announcement system but can also serve as a foothold for broader attacks against the entire CMS infrastructure. Organizations using WUZHI CMS 4.1.0 are particularly at risk since the vulnerability affects the core administrative functionality and can be exploited by users with relatively low privileges within the system.
Mitigation strategies for this vulnerability should include immediate implementation of input validation and output encoding controls within the announcement module, ensuring all user-supplied content undergoes proper sanitization before database storage. System administrators should also implement proper access controls and monitoring of announcement creation activities to detect potential malicious submissions. The recommended fix involves updating to a patched version of WUZHI CMS, as the vulnerability was addressed in subsequent releases through proper input validation mechanisms and enhanced output encoding. Organizations should also consider implementing web application firewalls and content security policies to provide additional layers of protection against similar vulnerabilities. Regular security audits and penetration testing of CMS components should be conducted to identify and remediate similar stored XSS vulnerabilities in other modules.