Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability classified as problematic was found in ZCMS 3.6.0. This vulnerability affects unknown code of the component Create Article Page. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Reflected cross-site scripting (XSS) in ZCMS 3.6.0 Create Article Page allows authenticated attackers to inject malicious scripts via the Title parameter. The vulnerability requires user interaction (clicking a malicious link) and results in limited impact to integrity, with EPSS score of 0.05% (14th percentile) indicating minimal real-world exploitation probability despite public disclosure.
Technical ContextAI
ZCMS is a content management system where the Create Article Page component fails to properly sanitize user-supplied input in the Title parameter before reflecting it in HTTP responses. This is a classic reflected XSS vulnerability (CWE-79) where an attacker crafts a malicious URL containing script payload in the Title parameter, and when a logged-in user clicks the link, the unfiltered payload executes in their browser context. The vulnerability requires the victim to already be authenticated to the application and to interact with the malicious link, limiting the attack surface compared to stored XSS or unauthenticated vulnerabilities.
Affected ProductsAI
ZCMS version 3.6.0 is confirmed affected. The vulnerability is specific to the Create Article Page component's Title parameter handling. No indication of fixed versions or newer releases is provided in available references, suggesting the affected product may be abandoned or unmaintained.
RemediationAI
Apply input validation and output encoding to the Title parameter in the Create Article Page component. Implement HTML entity encoding for all user-supplied input before rendering in HTML context, or use a context-aware templating engine that automatically escapes output. If vendor patches are unavailable for ZCMS 3.6.0 (which is likely given the project age and reporting source), compensating controls include: (1) Implement a Web Application Firewall (WAF) rule to detect and block common XSS payloads in the Title parameter with trade-off of false positives requiring tuning, (2) Apply strict Content Security Policy (CSP) headers to prevent inline script execution with trade-off of potential application breakage if the application relies on inline scripts, (3) Restrict Create Article Page access to trusted administrator roles only via access controls. For long-term mitigation, consider migrating to an actively maintained CMS solution. References available at vuldb.com/?id.316738.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today