AnqiCMS | Multiple XSS vulnerabilities via document text editor
Information
| Software Type | Web App |
|---|---|
| Software Name | Anqi CMS |
| Affected Version | 3.4.2 |
| Software Vendor | Fesiong |
| Software Link | https://github.com/fesiong/anqicms |
| Severity | Medium |
| CVSS Score | 4.6 |
| CVE Link | N/A |
| Affected Assets | 100+ |
| Date of Discovery | Jan 8th, 2025 |
| PoC Exploit | N/A |
Description
AnqiCMS uses a text editor for creating pages. This text editor is used in various places to make it easy for admins to design pages. Some endpoints where this text editor is used are the following endpoints:
/system/archive/list
/system/archive/category
/system/archive/tag
/system/archive/pageAll of these endpoints are vulnerable to XSS because they use the same editing software & code. At first it seems like authenticated moderators should be able to make these modifications but these pages are designed for editing text not adding JavaScript.
Reproduce
Navigate to [/system/archive/list], click “Revise” button for any of the posts you see in there and you may get redirected to a URI like this:
http://127.0.0.1:8001/system/archive/detail?id=48
Inside the editor, there is a button called “Code”, if you hover your mouse on it, you will notice it.
Remove existing code and add the following JS code:
<script>alert("Popup!")</script>Click on submit and visit the document using its link, for me, it was the following link:
Proof of Concept (PoC) Video
Posted on: May 24, 2025 02:12 AM