CVE-2023-2058

14.04.2023, 14:15

A vulnerability was found in EyouCms up to 1.6.2. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /yxcms/index.php?r=admin/extendfield/mesedit&tabid=12&id=4 of the component HTTP POST Request Handler. The manipulation of the argument web_ico leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-225943.

Cross-site Scripting

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	2.4 LOW	NETWORK	LOW	HIGH	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 58%

Affected Products (NVD)

Vendor	Product	Version
eyoucms	eyoucms	𝑥 ≤ 1.6.2

𝑥

= Vulnerable software versions

openSUSE / SLES Releases

openSUSE Product

Release

cluster-md-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

dlm-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

gfs2-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

kernel-64kb

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

kernel-default

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

kernel-default-base

suse enterprise server 15 SP6

6.4.0-150600.23.112.1.150600.12.52.1

fixed

kernel-docs

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

kernel-macros

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

kernel-obs-build

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

kernel-source

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

kernel-syms

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

kernel-zfcpdump

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

ocfs2-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

reiserfs-kmp-default

suse enterprise server 15 SP6

6.4.0-150600.23.112.1

fixed

Known Exploits!

Common Weakness Enumeration

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References

https://github.com/sleepyvv/vul_report/blob/main/EYOUCMS/XSS2.md

https://vuldb.com/?ctiid.225943

https://vuldb.com/?id.225943

https://github.com/sleepyvv/vul_report/blob/main/EYOUCMS/XSS2.md

https://vuldb.com/?ctiid.225943

https://vuldb.com/?id.225943