| 标题 | MuuCmf MuuCmf T6 cms 1.9.5.20260309 Improper Neutralization of Alternate XSS Syntax |
|---|
| 描述 | Link project: https://gitee.com/dameng100/muucmf
1/ Description:
Reflected Cross-Site Scripting (XSS) in MuuCmf T6 v1.9.5.20260309 allows a remote attacker to execute arbitrary JavaScript code in the context of the user's browser session via the keyword parameter to the channel/admin.Account/autoReply.html
CVSS score: 8.8 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
2/Technical details:
- Vulnerable Endpoint: /channel/admin.Account/autoReply.html
- Vulnerable Parameter: keyword
3/ POC:
Step 1: Inject the XSS payload to this URL: http://victim.com/channel/admin.Account/autoReply.html?keyword=<payload_here>
Step 2: Delivery the URL with XSS payload to admin
Step 3: The XSS payload will execute and can steal admin cookie. |
|---|
| 来源 | ⚠️ https://thinhneee.github.io/posts/muucmf-xss-channel/ |
|---|
| 用户 | thinhnee (UID 96296) |
|---|
| 提交 | 2026-03-10 10時33分 (27 日前) |
|---|
| 管理 | 2026-03-25 15時51分 (15 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 353151 [dameng100 muucmf 1.9.5.20260309 autoReply.html keyword 跨网站脚本] |
|---|
| 积分 | 20 |
|---|