Impact
The vulnerability is a POST-based reflected cross‑site scripting flaw in u5CMS through version 12.8.8 that occurs when an attacker supplies malicious content in the 'thanks' parameter of multiple form components. The application does not sanitize this input before embedding it into an HTML response, allowing arbitrary JavaScript to be executed in the victim’s browser. This weakness is categorized as CWE‑79, Improper Neutralization of Input During Web Page Generation.
Affected Systems
u5CMS content management systems running any version through v12.8.8, including all earlier releases, are vulnerable. Versions v12.8.9 and later contain the fix that properly sanitizes the 'thanks' parameter; therefore, any deployment using these post‑v12.8.9 releases is no longer affected.
Risk and Exploitability
The CVSS score of 6.4 places this flaw in the Medium severity range. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, indicating a moderate exploitation likelihood. The flaw can be triggered by sending a crafted POST request to any public form that includes the 'thanks' field, allowing an attacker with internet access to deliver the payload. Because the impact occurs client‑side, the attack requires a victim to view the reflected content in their browser, and any abuse depends on user interaction with the malicious output. Implementing the vendor's patch is a priority to mitigate this risk.
OpenCVE Enrichment