CVE-2024-7900 in TpMeCMS
Summary
by MITRE • 08/17/2024
A vulnerability, which was classified as problematic, was found in xiaohe4966 TpMeCMS 1.3.3.2. Affected is an unknown function of the file /h.php/general/config?ref=addtabs of the component Basic Configuration Handler. The manipulation of the argument Site Name/Beian/Contact address/copyright/technical support leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/14/2025
The vulnerability identified as CVE-2024-7900 represents a critical cross site scripting flaw within the TpMeCMS 1.3.3.2 content management system developed by xiaohe4966. This security weakness resides in the Basic Configuration Handler component, specifically within the /h.php/general/config?ref=addtabs file path where user input is improperly handled. The vulnerability manifests when attackers manipulate parameters including Site Name, Beian, Contact address, copyright, and technical support fields, which are processed without adequate sanitization or output encoding mechanisms. This flaw falls under the CWE-79 category of Cross Site Scripting, which is a fundamental web application security weakness that allows attackers to inject malicious client-side scripts into web pages viewed by other users.
The operational impact of this vulnerability extends beyond simple data theft or session hijacking, as it enables attackers to execute arbitrary JavaScript code within the context of the victim's browser. When legitimate users access pages containing the maliciously injected scripts, these scripts can perform actions such as stealing cookies, redirecting users to malicious sites, defacing web pages, or even executing additional attacks through the victim's browser. The remote exploitation capability means that attackers do not require physical access to the target system or network, making this vulnerability particularly dangerous as it can be leveraged from anywhere on the internet. The fact that this exploit has been publicly disclosed and is potentially in use by threat actors significantly increases the risk to affected organizations.
The security implications of CVE-2024-7900 align with several tactics outlined in the MITRE ATT&CK framework, particularly those related to initial access and execution phases. Attackers can leverage this vulnerability to establish a foothold within the target environment through malicious script injection, potentially leading to more sophisticated attacks such as credential theft or lateral movement. The lack of vendor response to early disclosure attempts is particularly concerning as it suggests either limited security awareness within the development team or insufficient resources to address the vulnerability promptly. Organizations utilizing TpMeCMS 1.3.3.2 should immediately implement mitigations including input validation, output encoding, and web application firewall rules to prevent exploitation. Additionally, the vulnerability demonstrates the critical importance of timely patch management and vendor communication in maintaining secure web applications, as the absence of vendor response leaves users exposed to ongoing threats while the vulnerability remains unaddressed.