CVE-2023-3990 Scanner
CVE-2023-3990 Scanner - Cross-Site Scripting (XSS) vulnerability in Mingsoft MCMS
Short Info
Level
Medium
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
2 weeks 11 hours
Scan only one
Domain, IPv4, Subdomain
Toolbox
-
Mingsoft MCMS is a content management system commonly used by developers and organizations to build and maintain websites. Its rich features and extensibility make it suitable for a wide range of applications, from small business sites to large enterprise portals. The software is popular for its user-friendly interface and customizable modules. It is designed to handle diverse content management needs efficiently. Mingsoft MCMS supports multiple languages, making it accessible to global users. With regular updates, it strives to provide users with enhanced security and performance.
The vulnerability detected in this scanner involves Cross-Site Scripting (XSS) in Mingsoft MCMS up to version 5.3.1. An attacker can exploit this flaw by injecting malicious scripts into the application’s HTTP POST Request Handler, specifically the search.do file. This issue arises due to inadequate input sanitization on the `style` parameter. Exploiting this vulnerability can allow attackers to execute arbitrary scripts in the browser of users who view the manipulated content. As a result, the application becomes vulnerable to unauthorized actions performed on behalf of authenticated users.
Technically, the issue is rooted in the lack of input validation for the `style` parameter in POST requests to the search.do file. When malicious JavaScript code, such as ``, is sent, the application processes it without neutralizing the script. If successful, the injected code is executed in the user's browser whenever they interact with the affected functionality. This enables attackers to manipulate the document's content, exfiltrate data, or redirect users to malicious sites.
If this vulnerability is exploited, attackers could steal sensitive data such as session tokens or user credentials, modify the content displayed to users, or spread further attacks to unsuspecting victims. Additionally, attackers might deface the site or compromise its integrity, leading to a loss of user trust and potential financial or reputational damage.
REFERENCES
