There is a storage XSS vulnerability in the modification of jfinal_CMS user's personal information. The attacker can insert malicious XSS code into the modification of personal information, and then successfully trigger XSS attack when the administrator user views the user's personal information.
First, register a user test, then enter the personal information page, insert the malicious XSS attack code in the remarks:
payload:
"><img src=x onerror=alert(document.cookie);><"
Then use the administrator account to view the user information:
Successfully triggered malicious XSS Code:
zcool321
commented
3 years ago
There is a storage XSS vulnerability in the modification of jfinal_CMS user's personal information. The attacker can insert malicious XSS code into the modification of personal information, and then successfully trigger XSS attack when the administrator user views the user's personal information. First, register a user test, then enter the personal information page, insert the malicious XSS attack code in the remarks: payload:
Then use the administrator account to view the user information:
Successfully triggered malicious XSS Code:
"><img src=x onerror=alert(document.cookie);><"Safety advice: strictly filter the user's input