Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-delivered reflected XSS needing active victim interaction; scope changes to browser context; no server-side confidentiality or availability impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A reflected cross-site scripting (XSS) vulnerability in MCMS v6.0.1 allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload.
AnalysisAI
Reflected cross-site scripting in Mingsoft MCMS v6.0.1 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by delivering a crafted URL containing a malicious payload. The CVSS scope change (S:C) indicates impact extends beyond the web application itself into the victim's browser trust context, enabling session hijacking or credential theft. No public exploit identified at time of analysis beyond the referenced GitHub gist, and EPSS of 0.22% (13th percentile) signals very low current exploitation interest.
Technical ContextAI
MCMS (Mingsoft CMS, cpe:2.3:a:mingsoft:mcms:*:*:*:*:*:*:*:*) is a Java-based content management system maintained on Gitee. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), the root cause class for XSS: user-supplied input in one or more HTTP request parameters is echoed into the HTTP response without adequate encoding or sanitization, allowing the injected script to be interpreted and executed by the victim's browser. The reflected variant means the payload is not stored server-side but must be delivered to each victim individually via a crafted URL. The CVSS scope change (S:C) is consistent with reflected XSS because the vulnerability in the MCMS application component affects resources in a different security scope - the user's browser session - enabling the attacker to interact with other origins or steal cross-origin tokens.
RemediationAI
No vendor-released patched version is identified at time of analysis; the Gitee repository at https://gitee.com/mingSoft/MCMS should be monitored for an upstream fix commit or tagged release addressing this parameter reflection. As an immediate compensating control, deploying a Content Security Policy (CSP) response header with a restrictive script-src directive (e.g., script-src 'self') will significantly reduce the exploitability of reflected XSS even absent a code fix, at the trade-off of potentially breaking inline scripts already used by the application that would need to be moved to external files. Additionally, a WAF rule blocking common XSS probe characters (<, >, javascript:, onerror=) in reflected parameters can reduce exposure but may generate false positives on legitimate user input. Restricting access to the vulnerable endpoint(s) to authenticated internal users where feasible eliminates unauthenticated attack surface entirely.
An arbitrary file upload vulnerability in the ueditor component of MCMS v5.4.3 allows attackers to execute arbitrary cod
Mingsoft MCMS v5.2.9 was discovered to contain a SQL injection vulnerability via the categoryType parameter at /content/
A vulnerability was found in Mingsoft MCMS up to 5.2.9. Rated critical severity (CVSS 9.8), this vulnerability is remote
Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/model/delete URI via models Lists.
Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/page/verify URI via fieldName param
MCMS v5.2.8 was discovered to contain an arbitrary file upload vulnerability. Rated critical severity (CVSS 9.8), this v
An arbitrary file upload vulnerability was discovered in MCMS 5.2.7, allowing an attacker to execute arbitrary code thro
Mingsoft MCMS 5.2.7 was discovered to contain a SQL injection vulnerability in /mdiy/dict/list URI via orderBy parameter
Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection vulnerability in /mdiy/dict/listExcludeApp URI via orderB
MCMS v5.2.27 was discovered to contain a SQL injection vulnerability in the orderBy parameter at /dict/list.do. Rated cr
Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection vulnerability via /cms/content/list. Rated critical sever
MCMS v5.2.4 was discovered to contain a SQL injection vulnerability via search.do in the file /mdiy/dict/listExcludeApp.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today