Stored Cross Site Scripting Vulnerability in Z-BlogPHP 1.5.2 via Website Title Setting

Stored Cross Site Scripting Vulnerability in Z-BlogPHP 1.5.2 via Website Title Setting

CVE-2018-10680 · MEDIUM Severity

AV:N/AC:M/AU:N/C:N/I:P/A:N

Z-BlogPHP 1.5.2 has a stored Cross Site Scripting Vulnerability exploitable by an administrator who navigates to "Web site settings --> Basic setting --> Website title" and enters an XSS payload via the zb_system/cmd.php ZC_BLOG_NAME parameter. NOTE: the vendor disputes the security relevance, noting it is "just a functional bug.

Learn more about our Web App Pen Testing.