DaiCuoCms1.3.13 has Cross-Site Scripting (XSS) vulnerability

DaiCuoCms version 1.3.13 is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. An authenticated user with access to the admin panel can inject malicious JavaScript code into article content or other editable fields. This code is then rendered and executed in the context of users who visit the affected frontend pages, potentially leading to session hijacking, phishing, or other malicious actions. The lack of proper input sanitization and output encoding makes this vulnerability exploitable.

![Image](https://github.com/user-attachments/assets/8fabb5c2-74f4-4ea6-9d31-bb0527bfecc5)
Login to the admin panel using the default credentials:
Username: admin
Password: admin888

Navigate to the SEO Optimization settings section.

Inject the following payload into a field such as the site title or description:
`"><img src=0 onerror=alert(1)>`

Save the changes and visit the homepage.
The malicious script will execute, confirming the XSS vulnerability.

Payload Execution on Homepage:
![Image](https://github.com/user-attachments/assets/0b56eb22-c603-4c0b-9be2-1627b87e9606)


Vulnerability Verification:
![Image](https://github.com/user-attachments/assets/5b11fb72-9afa-4c32-8e09-fc31a8517705)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DaiCuoCms1.3.13 has Cross-Site Scripting (XSS) vulnerability #1

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

DaiCuoCms1.3.13 has Cross-Site Scripting (XSS) vulnerability #1

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions