Login Sign Up

CVE-2024-33338

7.3 HIGH
Cross-Site Scripting

📋 TL;DR

This is a Cross-Site Scripting (XSS) vulnerability in jizhicms v2.5.4 that allows remote attackers to inject malicious scripts via crafted article publication requests. When exploited, it can lead to session hijacking, credential theft, or redirection to malicious sites. Anyone running jizhicms v2.5.4 is affected.

💻 Affected Systems

Products:
  • jizhicms
Versions: v2.5.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the article publication functionality and affects all installations with default configurations.

📦 What is this software?

Jizhicms by Jizhicms

View all CVEs affecting Jizhicms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, administrative privilege escalation, or deployment of malware to site visitors through persistent XSS payloads.

🟠

Likely Case

Session cookie theft leading to unauthorized access to user accounts, defacement of website content, or redirection to phishing sites.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, potentially only affecting non-sensitive data display.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires article publication privileges, but the vulnerability is well-documented with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.5.5 or later

Vendor Advisory: https://github.com/Cherry-toto/jizhicms/issues/86

Restart Required: No

Instructions:

1. Backup your current installation. 2. Download the latest version from the official repository. 3. Replace vulnerable files with patched versions. 4. Clear any cached content.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize article content before processing.

Implement HTML entity encoding for all user inputs in article publication handlers

Content Security Policy

all

Deploy a strict Content Security Policy to mitigate XSS impact.

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to HTTP headers

🧯 If You Can't Patch

  • Disable article publication functionality for untrusted users
  • Implement web application firewall rules to block XSS payload patterns

🔍 How to Verify

Check if Vulnerable:

Check if your jizhicms version is 2.5.4 by examining the version file or admin panel.

Check Version:

Check /application/common.php or admin dashboard for version information

Verify Fix Applied:

Test article publication with XSS payloads after patching to ensure they are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual article publication requests with script tags or JavaScript payloads
  • Multiple failed publication attempts with encoded payloads

Network Indicators:

  • HTTP POST requests to article endpoints containing <script> tags or JavaScript code

SIEM Query:

source="web_logs" AND (uri_path="/article/publish" OR uri_path="/admin/article") AND (content CONTAINS "<script>" OR content CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2024-33338
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-79
Published: April 29, 2024
Last Updated: April 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-33338, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)