Hongcms
CVE-2018-10422
MEDIUM
Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
An issue was discovered in HongCMS 3.0.0. The post news feature has Stored XSS via the content field.
AnalysisAI
An issue was discovered in HongCMS 3.0.0. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. An issue was discovered in HongCMS 3.0.0. The post news feature has Stored XSS via the content field. Affected products include: Hongcms Project Hongcms.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.
HongCMS 3.0.0 allows arbitrary file deletion via the component /admin/index.php/template/ajax?action=delete. Rated high
HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file parameter to admin/index.php/language/ajax?action=del
An issue in the /template/edit component of HongCMS v3.0 allows attackers to getshell. Rated high severity (CVSS 7.2), t
An issue in the languages config file of HongCMS v3.0 allows attackers to getshell. Rated high severity (CVSS 7.2), this
An issue was discovered in HongCMS 3.0.0. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, lo
An issue wan discovered in admin\controllers\database.php in HongCMS 3.0.0. Rated high severity (CVSS 7.2), this vulnera
HongCMS 3.0.0 allows arbitrary file deletion via a ../ in the file parameter to admin/index.php/database/ajax?action=del
HongCMS 3.0.0 allows arbitrary file read and write operations via a ../ in the filename parameter to the admin/index.php
HongCMS 3.0.0 has XSS via the install/index.php tableprefix parameter. Rated medium severity (CVSS 6.1), this vulnerabil
HongCMS 3.0.0 has XSS via the install/index.php dbpassword parameter. Rated medium severity (CVSS 6.1), this vulnerabili
HongCMS 3.0.0 has XSS via the install/index.php dbusername parameter. Rated medium severity (CVSS 6.1), this vulnerabili
HongCMS 3.0.0 has XSS via the install/index.php dbname parameter. Rated medium severity (CVSS 6.1), this vulnerability i
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today