PRODUCT NOT SUPPORTED WHEN ASSIGNED
Codiad v2.8.4 has a reflective cross-site vulnerability.
Details
Codiad v2.8.4 has a reflection cross-site attack vulnerability, the vulnerability is due to/components/market/dialog.php.
The reference "type" parameter is displayed directly in the front-end code without escaping.
https://github.com/Codiad/Codiad/blob/b2ef139219d2f931465f11306e651d3832262227/components/market/dialog.php#L103-L122
According to the picture, we know that in this code, the program references the value of the "type" parameter to the button label of the front-end code many times, but the "type" parameter is not filtered, so we can close the button label with double quotes and insert malicious code.
Hebing123
commented
6 months ago
Summary
PRODUCT NOT SUPPORTED WHEN ASSIGNED Codiad v2.8.4 has a reflective cross-site vulnerability.
Details
Codiad v2.8.4 has a reflection cross-site attack vulnerability, the vulnerability is due to/components/market/dialog.php. The reference "type" parameter is displayed directly in the front-end code without escaping. https://github.com/Codiad/Codiad/blob/b2ef139219d2f931465f11306e651d3832262227/components/market/dialog.php#L103-L122
According to the picture, we know that in this code, the program references the value of the "type" parameter to the button label of the front-end code many times, but the "type" parameter is not filtered, so we can close the button label with double quotes and insert malicious code.
Proof of Concept (POC)
http://ip:port/components/market/dialog.php?action=list¬e=undefined&type=%22%3E%3CScRiPt%3Ealert(1)%3C/ScRiPt%3E
Impact
If a user or administrator accesses the malicious url, the cookie may be obtained by an attacker.