CVE-2021-47737
Unknown Unknown - Not Provided
HTML Injection in CSZ CMS 1.2.7 Enables Malicious Links

Publication date: 2025-12-23

Last updated on: 2025-12-23

Assigner: VulnCheck

Description
CSZ CMS 1.2.7 contains an HTML injection vulnerability that allows authenticated users to insert malicious hyperlinks in message titles. Attackers can craft POST requests to the member messaging system with HTML-based links to potentially conduct phishing or social engineering attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-23
Last Modified
2025-12-23
Generated
2026-06-16
AI Q&A
2025-12-23
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47737
EUVD
EUVD-2025-204829
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
csz cms 1.2.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47737 is an HTML injection vulnerability in CSZ CMS version 1.2.7 that allows authenticated users to insert malicious HTML content, such as hyperlinks, into message titles within the member dashboard. Attackers exploit this by crafting POST requests to the member messaging system, embedding deceptive links that can be used for phishing or social engineering attacks. [1, 2]

Impact Analysis

This vulnerability can impact you by enabling attackers with valid user credentials to inject malicious links into message titles, potentially leading to phishing or social engineering attacks. This could compromise user trust, lead to credential theft, or facilitate further attacks against users interacting with the injected content. [1, 2]

Detection Guidance

This vulnerability can be detected by monitoring POST requests to the endpoint `/CSZCMS-V1.2.7/member/insertpm/` and inspecting the 'title' parameter for injected HTML tags such as <a> hyperlinks. For example, you can use network traffic analysis tools like tcpdump or Wireshark to capture HTTP POST requests and grep for suspicious HTML content in the 'title' field. Additionally, you can use curl or similar command-line tools to test the endpoint by sending crafted POST requests with HTML content in the 'title' parameter to see if the system accepts and reflects it. Example curl command: curl -X POST -d "title=<h1><a href='http://malicious.example'>Click me</a></h1>" https://your-cszcms-site/CSZCMS-V1.2.7/member/insertpm/ -b cookie.txt (where cookie.txt contains authentication cookies). [1]

Mitigation Strategies

Immediate mitigation steps include restricting authenticated user input by implementing proper input validation and sanitization on the 'title' parameter to prevent HTML injection. If a patch or update is available from the CSZ CMS vendor, apply it promptly. Additionally, limit user privileges to reduce the risk of exploitation, monitor and audit member messaging activities for suspicious content, and educate users about phishing risks. As a temporary workaround, consider disabling or restricting the member messaging feature until a fix is applied. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47737. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart