cbcvebase.
CVE-2024-22927
published 2024-02-01

CVE-2024-22927: Cross Site Scripting (XSS) vulnerability in the func parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.

PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.03%
59.3th percentile
Cross Site Scripting (XSS) vulnerability in the func parameter in eyoucms v.1.6.5 allows a remote attacker to run arbitrary code via crafted URL.

Affected

1 ranges
VendorProductVersion rangeFixed in
eyoucmseyoucms

Detection & IOCsextracted from sources · hover to see the quote

url/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxXCI%2BPFNjUmlQdCA%2BYWxlcnQoZG9jdW1lbnQuZG9tYWluKTwvU2NSaVB0PiIsInNpemUiOiIyMDk3MTUyIiwiaW5wdXQiOiIiLCJmdW5jIjoiaGVhZF9waWNfY2FsbF9iYWNrIiwicGF0aCI6ImFsbGltZyIsImlzX3dhdGVyIjoiMSIsImFsZyI6IkhTMjU2In0&lang=cn&m=admin&unneed_syn=
path/login.php
othername="num" value="1">alert(document.domain)
  • Exploit is delivered via HTTP POST to /login.php with query parameters a=get_upload_list, c=Uploadimgnew, m=admin, and a base64-encoded JSON payload in the 'info' parameter containing the XSS payload in the 'num' field.
  • Successful exploitation is confirmed by the presence of both 'name="num" value="1">alert(document.domain)' and 'id="eytime"' in the HTTP response body with a 200 status code and text/html content-type.
  • The vulnerable endpoint is the 'func' parameter within the base64-encoded JSON 'info' value; the decoded payload sets func=head_pic_call_back and injects a <ScRiPt> XSS tag into the 'num' field.
  • FOFA fingerprinting query for identifying exposed eyoucms instances: title="eyoucms"
  • ·The XSS payload is embedded inside a base64-encoded JSON object passed in the 'info' query parameter. The decoded JSON is: {"num":"1\"><ScRiPt >alert(document.domain)</ScRiPt>","size":"2097152","input":"","func":"head_pic_call_back","path":"allimg","is_water":"1","alg":"HS256"}. Detection rules must account for base64-encoded variants of the payload.
  • ·The vulnerability is specific to eyoucms version 1.6.5; the CPE is cpe:2.3:a:eyoucms:eyoucms:1.6.5:*:*:*:*:*:*:*.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.