CVE-2019-9110 in WUZHI
Summary
by MITRE
XSS exists in WUZHI CMS 4.1.0 via index.php?m=content&f=postinfo&v=listing&set_iframe=[XSS] to coreframe/app/content/postinfo.php.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/05/2025
The vulnerability CVE-2019-9110 represents a cross-site scripting flaw discovered in WUZHI CMS version 4.1.0 that stems from improper input validation within the content management system's postinfo module. This vulnerability specifically manifests when the application processes the set_iframe parameter through the index.php endpoint with the content module and postinfo function. The flaw exists in the coreframe/app/content/postinfo.php file where user-supplied input is directly incorporated into the HTTP response without adequate sanitization or encoding mechanisms.
The technical implementation of this vulnerability follows a classic XSS attack pattern where malicious input is accepted through the URL parameter set_iframe and subsequently rendered in the web application's output without proper security controls. When a user visits a page containing the malicious payload within the set_iframe parameter, the browser executes the injected script in the context of the victim's session. This represents a reflected XSS vulnerability as the malicious code is not stored on the server but rather delivered through the request parameter. The vulnerability falls under CWE-79 which categorizes improper neutralization of input during web page generation, specifically addressing the failure to sanitize user-controllable data before incorporating it into dynamically generated web content.
The operational impact of this vulnerability extends beyond simple script execution as it enables attackers to perform session hijacking, defacement of web pages, and potentially gain unauthorized access to administrative functions. An attacker could craft malicious URLs that, when clicked by authenticated users with sufficient privileges, would execute scripts that steal session cookies or redirect users to malicious sites. The vulnerability particularly affects the content management workflow where users might be prompted to interact with the postinfo functionality, making it a significant risk for content editors and administrators who might inadvertently click on compromised links. This vulnerability aligns with ATT&CK technique T1566 which describes the use of malicious content to gain initial access to systems through social engineering or direct exploitation of web applications.
Mitigation strategies for CVE-2019-9110 should prioritize immediate patching of the WUZHI CMS to version 4.1.1 or later where the vulnerability has been addressed through proper input validation and output encoding. Organizations should implement comprehensive input validation measures that sanitize all user-supplied parameters, particularly those used in dynamic content generation. The implementation of Content Security Policy headers can provide additional defense-in-depth measures to prevent script execution from unauthorized sources. Regular security auditing of web applications should include verification of parameter handling and input validation mechanisms to prevent similar vulnerabilities from emerging in other parts of the codebase. Network monitoring should be enhanced to detect suspicious URL patterns containing potential XSS payloads, and user education regarding the dangers of clicking untrusted links remains essential for overall security posture.