FastAdmin is a PHP backend development framework that is open-source under the Apache 2.0 license. It is designed for rapid development of backend systems, featuring a permission management system based on Auth verification, and offers a one-click generation of CRUD (Create, Read, Update, Delete) functionalities.
FastAdmin 1.5.0.20240328, a version of the FastAdmin framework, contains a stored cross-site scripting (XSS) vulnerability in the "General Management - Attachment Management" section of the backend. Administrators with access to attachment management (e.g., secondary administrators) can exploit this vulnerability to target users with higher privileges.
Details
The vulnerability can be exploited by an attacker who has the ability to modify the row.imagewidth and row.imageheight parameters of an attachment.
The attacker crafts a payload that includes malicious JavaScript code, which is then stored within the database.
When an administrator with higher privileges views or edits the attachment, the malicious script is executed in the context of the administrator's session, potentially allowing the attacker to perform actions on behalf of the administrator.
It is important to note that when injecting JavaScript from an external website, the length of the host header and the JavaScript file address should be kept as minimal as possible.
If the length is too great, it may cause an SQL error.
Summary
FastAdmin 1.5.0.20240328, a version of the FastAdmin framework, contains a stored cross-site scripting (XSS) vulnerability in the "General Management - Attachment Management" section of the backend. Administrators with access to attachment management (e.g., secondary administrators) can exploit this vulnerability to target users with higher privileges.
Details
The vulnerability can be exploited by an attacker who has the ability to modify the
row.imagewidth
androw.imageheight
parameters of an attachment. The attacker crafts a payload that includes malicious JavaScript code, which is then stored within the database. When an administrator with higher privileges views or edits the attachment, the malicious script is executed in the context of the administrator's session, potentially allowing the attacker to perform actions on behalf of the administrator. It is important to note that when injecting JavaScript from an external website, the length of the host header and the JavaScript file address should be kept as minimal as possible. If the length is too great, it may cause an SQL error.Proof of Concept (POC)