There is a stored XSS vulnerability in JFinal_cms 's publish blog module. The attacker can insert malicious XSS code into the user's note information, which will trigger malicious XSS code when other users visit the malicious user's personal homepage.
There is a stored XSS vulnerability in JFinal_cms 's publish blog module. The attacker can insert malicious XSS code into the user's note information, which will trigger malicious XSS code when other users visit the malicious user's personal homepage.
payload:
</p><script>alert(document.cookie)</script><p>
Successfully executed malicious XSS code: