Plateforme
php
Corrigé dans
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
A cross-site scripting (XSS) vulnerability has been identified in YiFang CMS Extended Management Module versions 2.0.0 through 2.0.5. This flaw resides within the 'update' function of the app/db/admin/D_adPosition.php file, allowing attackers to inject malicious scripts by manipulating the 'name/index' argument. Successful exploitation could lead to session hijacking or defacement of the affected website.
The primary impact of CVE-2026-2932 is the potential for cross-site scripting (XSS) attacks. An attacker could leverage this vulnerability to inject arbitrary JavaScript code into the YiFang CMS application. This injected code could then be executed in the context of a user's browser, allowing the attacker to steal session cookies, redirect users to malicious websites, or deface the website. The remote nature of the vulnerability means an attacker does not need to be authenticated to exploit it, significantly broadening the potential attack surface. The public availability of an exploit further increases the risk of immediate exploitation.
CVE-2026-2932 has been publicly disclosed and a proof-of-concept exploit is available. This significantly increases the likelihood of exploitation. The vulnerability's LOW CVSS score reflects the relatively simple exploitation process and limited potential impact, but the public exploit makes it a high-priority remediation target. It was published on 2026-02-22.
Websites and applications utilizing YiFang CMS Extended Management Module versions 2.0.0 through 2.0.5 are at risk. This includes organizations relying on YiFang CMS for content management and those with publicly accessible administrative interfaces. Shared hosting environments using these versions are particularly vulnerable due to the potential for cross-tenant attacks.
• php / web:
curl -I https://example.com/app/db/admin/D_adPosition.php?name/index=<script>alert(1)</script>• generic web:
grep -i '<script>' /var/log/apache2/access.logdisclosure
Statut de l'Exploit
EPSS
0.03% (percentile 10%)
CISA SSVC
Vecteur CVSS
The recommended mitigation for CVE-2026-2932 is to upgrade YiFang CMS Extended Management Module to a version that includes the security fix. As no fixed version is provided, thoroughly review the app/db/admin/D_adPosition.php file for input validation and sanitization of the 'name/index' parameter. Implement strict input validation on all user-supplied data to prevent malicious code injection. Consider using a Web Application Firewall (WAF) to filter out potentially malicious requests containing XSS payloads.
Mettez à jour YiFang CMS à une version ultérieure à la 2.0.5 pour corriger la vulnérabilité XSS. Si la mise à jour n'est pas possible, examinez et filtrez les entrées des paramètres 'name' et 'index' dans le fichier app/db/admin/D_adPosition.php afin d'éviter l'injection de code malveillant.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-2932 is a cross-site scripting (XSS) vulnerability affecting YiFang CMS Extended Management Module versions 2.0.0–2.0.5, allowing remote attackers to inject malicious scripts.
You are affected if your YiFang CMS Extended Management Module is running versions 2.0.0 through 2.0.5. Upgrade immediately or implement mitigation strategies.
Upgrade to a patched version of YiFang CMS Extended Management Module. If a patch isn't available, implement strict input validation and consider a WAF.
Yes, a proof-of-concept exploit is publicly available, increasing the likelihood of active exploitation.
Refer to the official YiFang CMS website or security mailing lists for the latest advisory regarding CVE-2026-2932.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.