Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2022-40849
Good to know:
Date: November 30, 2022
ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting (XSS). An attacker who successfully exploited this vulnerability could inject a Persistent XSS payload in the Slideshow Management section that execute arbitrary JavaScript code on the client side, e.g., to steal the administrator's PHP session token (PHPSESSID).
Language: PHP
Severity Score
Related Resources (6)
Severity Score
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79Top Fix
Upgrade Version
Upgrade to version thinkcmf/cmf-app - v6.0.15;thinkcmf/cmf-app - 8.0.x-dev;thinkcmf/cmf-app - v5.1.7;thinkcmf/cmf-app - v6.0.5;thinkcmf/cmf-app - v5.1.0;thinkcmf/cmf-app - v6.0.11;thinkcmf/cmf-app - v6.0.1;oyswonder/thinkcmf - 5.0.190111;oyswonder/thinkcmf - 5.0-Beta;oyswonder/thinkcmf - no_fix;oyswonder/thinkcmf - 5.1.0-beta;uban/cmf-app - v5.1.0;uban/cmf-app - no_fix;oyswonder/cmf-app - no_fix;thinkcmf/thinkcmf - v6.0.8;thinkcmf/thinkcmf - 5.0-Beta;thinkcmf/thinkcmf - v5.1.0;thinkcmf/thinkcmf - v5.1.7;thinkcmf/thinkcmf - v6.0.1;thinkcmf/thinkcmf - 5.1.0-beta;catman/thinkcmf - 5.1.0-beta;catman/thinkcmf - 5.0-Beta;catman/thinkcmf - no_fix;catman/thinkcmf - 5.0.190111;shenmuwangluo/thinkcmf-cmf-app - no_fix
CVSS v3.1
| Base Score: |
|
|---|---|
| Attack Vector (AV): | NETWORK |
| Attack Complexity (AC): | LOW |
| Privileges Required (PR): | LOW |
| User Interaction (UI): | REQUIRED |
| Scope (S): | CHANGED |
| Confidentiality (C): | LOW |
| Integrity (I): | LOW |
| Availability (A): | NONE |