Vulnerability-Lookup

CNVD-2022-62200

Vulnerability from cnvd - Published: 2022-09-08

Title

WolfCMS跨站脚本漏洞（CNVD-2022-62200）

Description

WolfCMS是通过提供优雅的用户界面、灵活的每页模板、简单的用户管理和权限以及文件管理所需的工具来简化内容管理。 WolfCMS 0.8.3.1及其之前版本存在跨站脚本漏洞，该漏洞源于组件User Add的文件 /wolfcms/?/admin/user/add缺少参数的过滤转义。攻击者可利用该漏洞执行跨站脚本攻击。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://github.com/wolfcms/wolfcms

Reference

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25070

Impacted products

Name
WolfCMS WolfCMS <=0.8.3.1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-25070",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2019-25070"
    }
  },
  "description": "WolfCMS\u662f\u901a\u8fc7\u63d0\u4f9b\u4f18\u96c5\u7684\u7528\u6237\u754c\u9762\u3001\u7075\u6d3b\u7684\u6bcf\u9875\u6a21\u677f\u3001\u7b80\u5355\u7684\u7528\u6237\u7ba1\u7406\u548c\u6743\u9650\u4ee5\u53ca\u6587\u4ef6\u7ba1\u7406\u6240\u9700\u7684\u5de5\u5177\u6765\u7b80\u5316\u5185\u5bb9\u7ba1\u7406\u3002\n\nWolfCMS 0.8.3.1\u53ca\u5176\u4e4b\u524d\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7ec4\u4ef6User Add\u7684\u6587\u4ef6 /wolfcms/?/admin/user/add\u7f3a\u5c11\u53c2\u6570\u7684\u8fc7\u6ee4\u8f6c\u4e49\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u8de8\u7ad9\u811a\u672c\u653b\u51fb\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://github.com/wolfcms/wolfcms",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-62200",
  "openTime": "2022-09-08",
  "products": {
    "product": "WolfCMS WolfCMS \u003c=0.8.3.1"
  },
  "referenceLink": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25070",
  "serverity": "\u4e2d",
  "submitTime": "2022-06-13",
  "title": "WolfCMS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2022-62200\uff09"
}

CVE-2019-25070 (GCVE-0-2019-25070)

Vulnerability from cvelistv5 – Published: 2022-06-09 13:10 – Updated: 2024-08-05 03:00 Unsupported When Assigned

Title

WolfCMS User Add cross site scripting

Summary

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in WolfCMS up to 0.8.3.1. It has been rated as problematic. This issue affects some unknown processing of the file /wolfcms/?/admin/user/add of the component User Add. The manipulation of the argument name leads to basic cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-135125 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Severity ?

3.5 (Low)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

3.5 (Low)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CWE

CWE-80 - Basic Cross Site Scripting

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.135125	vdb-entrytechnical-description
	https://vuldb.com/?ctiid.135125	signaturepermissions-required
	https://github.com/wolfcms/wolfcms/issues/683	exploitissue-tracking

Impacted products

	Vendor	Product	Version
	n/a	WolfCMS	Affected: 0.8.3.0 Affected: 0.8.3.1

Credits

pramodrana (VulDB User)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T03:00:19.026Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.135125"
          },
          {
            "tags": [
              "signature",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.135125"
          },
          {
            "tags": [
              "exploit",
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://github.com/wolfcms/wolfcms/issues/683"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "User Add"
          ],
          "product": "WolfCMS",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "0.8.3.0"
            },
            {
              "status": "affected",
              "version": "0.8.3.1"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "analyst",
          "value": "pramodrana (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "** UNSUPPORTED WHEN ASSIGNED ** A vulnerability was found in WolfCMS up to 0.8.3.1. It has been rated as problematic. This issue affects some unknown processing of the file /wolfcms/?/admin/user/add of the component User Add. The manipulation of the argument name leads to basic cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-135125 was assigned to this vulnerability. NOTE: This vulnerability only affects products that are no longer supported by the maintainer."
        },
        {
          "lang": "de",
          "value": "Eine Schwachstelle wurde in WolfCMS bis 0.8.3.1 ausgemacht. Sie wurde als problematisch eingestuft. Davon betroffen ist unbekannter Code der Datei /wolfcms/?/admin/user/add der Komponente User Add. Dank Manipulation des Arguments name mit unbekannten Daten kann eine basic cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 3.5,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 3.5,
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-80",
              "description": "CWE-80 Basic Cross Site Scripting",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-20T12:44:37.310Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.135125"
        },
        {
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.135125"
        },
        {
          "tags": [
            "exploit",
            "issue-tracking"
          ],
          "url": "https://github.com/wolfcms/wolfcms/issues/683"
        }
      ],
      "tags": [
        "unsupported-when-assigned"
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2019-04-01T02:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2019-04-01T02:00:00.000Z",
          "value": "Exploit disclosed"
        },
        {
          "lang": "en",
          "time": "2019-05-16T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2022-06-04T00:00:00.000Z",
          "value": "CVE reserved"
        },
        {
          "lang": "en",
          "time": "2023-09-21T11:35:18.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "WolfCMS User Add cross site scripting"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2019-25070",
    "datePublished": "2022-06-09T13:10:34.000Z",
    "dateReserved": "2022-06-04T00:00:00.000Z",
    "dateUpdated": "2024-08-05T03:00:19.026Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-62200

CVE-2019-25070 (GCVE-0-2019-25070)

Tags

Sightings

Nomenclature