CVE-2024-43006 Information

Description

A stored cross-site scripting (XSS) vulnerability exists in ZZCMS2023 in the ask/show.php file at line 21. An attacker can exploit this vulnerability by sending a specially crafted POST request to /user/ask_edit.php?action=add which includes malicious JavaScript code in the ‘content’ parameter. When a user visits the ask/show_newsid.html page the injected script is executed in the context of the user’s browser leading to potential theft of cookies session tokens or other sensitive information.

Reference

http://www.zzcms.net/about/download.html https://github.com/gkdgkd123/codeAudit/blob/main/CVE-2024-43006%20ZZCMS2023%E5%82%A8%E5%AD%98%E5%9E%8BXSS.md