Platform
php
Opgelost in
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
A cross-site scripting (XSS) vulnerability has been discovered in YiFang CMS versions 2.0.0 through 2.0.5. This flaw resides within the Extended Management Module's file update function (app/db/admin/D_adManage.php). Successful exploitation allows an attacker to inject malicious scripts, potentially compromising user sessions and data integrity. A public proof-of-concept exists, increasing the risk of immediate exploitation.
The XSS vulnerability in YiFang CMS allows an attacker to inject arbitrary JavaScript code into the application. This code can then be executed in the context of a victim's browser when they visit a compromised page. An attacker could leverage this to steal session cookies, redirect users to malicious websites, deface the website, or even execute arbitrary code on the user's machine if they have sufficient privileges. The remote nature of the vulnerability means an attacker does not need to be authenticated to exploit it, significantly expanding the potential attack surface. Given the public availability of a proof-of-concept, the risk of exploitation is considered high.
This vulnerability is publicly known with a proof-of-concept available, indicating a high probability of exploitation. It has been added to the CISA KEV catalog. The low CVSS score reflects the relatively limited impact, but the ease of exploitation and public availability of the PoC make it a significant risk, particularly for systems with vulnerable versions exposed to the internet.
Websites and applications utilizing YiFang CMS versions 2.0.0 through 2.0.5 are at risk. This includes organizations hosting their own YiFang CMS installations, as well as shared hosting environments where YiFang CMS is deployed. Administrators and users with access to the Extended Management Module are particularly vulnerable.
• php: Examine the app/db/admin/D_adManage.php file for unsanitized input handling of the 'Name' parameter. Search for instances where user-supplied data is directly outputted to the HTML without proper encoding.
// Example of vulnerable code
<p><?php echo $_POST['Name']; ?></p>• generic web: Monitor access logs for unusual requests targeting app/db/admin/D_adManage.php with suspicious parameters in the 'Name' field. Look for patterns indicative of XSS payloads.
grep "<script" /var/log/apache2/access.log• generic web: Check response headers for signs of XSS injection. Look for unexpected JavaScript code in the HTML source.
curl -I https://example.com/app/db/admin/D_adManage.php?Name=<script>alert(1)</script>disclosure
poc
kev
Exploit Status
EPSS
0.03% (7% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-2933 is to upgrade YiFang CMS to a version that includes the security patch. If upgrading immediately is not feasible, consider implementing input validation and sanitization on the 'Name' parameter within the app/db/admin/D_adManage.php file. A Web Application Firewall (WAF) configured to block XSS payloads targeting this specific parameter can also provide a temporary layer of protection. Review access control lists to restrict access to the admin panel to authorized personnel only. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) through the affected parameter and confirming that it is properly sanitized.
Actualizar YiFang CMS a una versión posterior a la 2.0.5 para corregir la vulnerabilidad XSS en el módulo de gestión extendida. Si no es posible actualizar, se recomienda deshabilitar o eliminar el módulo afectado.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-2933 is a cross-site scripting (XSS) vulnerability affecting YiFang CMS versions 2.0.0–2.0.5, allowing attackers to inject malicious scripts via the 'Name' parameter in the Extended Management Module.
If you are using YiFang CMS versions 2.0.0 through 2.0.5, you are potentially affected by this vulnerability. Assess your environment and upgrade as soon as possible.
The recommended fix is to upgrade YiFang CMS to a patched version. If immediate upgrade is not possible, implement input validation and sanitization or use a WAF.
Due to the public availability of a proof-of-concept, CVE-2026-2933 is considered to be at high risk of exploitation.
Refer to the official YiFang CMS website or security advisories for the latest information and updates regarding CVE-2026-2933.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.