issues
search
TDuckCloud
/
tduck-platform
为企业提供「免费」表单问卷能力,「开箱即用」快速赋能业务 A questionnaire system that can be privatized and deployed - 填鸭表单问卷系统(tduck-survey-form)
https://www.tduckcloud.com
MIT License
1.02k
stars
136
forks
source link
XSS vulnerability caused by file upload(tduck-platform4.0)
#17
Open
libaibaia
opened
1 year ago
libaibaia
commented
1 year ago
upload code:
https://github.com/TDuckCloud/tduck-platform/blob/master/tduck-api/src/main/java/com/tduck/cloud/api/web/controller/UploadFileController.java
Create a test form system
After creating the form system, upload the HTML file, you can see that the request does not contain authentication information
Background preview data execution script
0yingteam
commented
1 year ago
这么快的么?我两周前也审计到了这个
0yingteam
commented
1 year ago
从审计角度还有一个默认账号的高危漏洞