Closed bharathmohanraj closed 2 years ago
This PR #44 fixes issue #39 and issue #42
@zcool321 Hi George, Could you please review this pull request URL: https://github.com/jflyfox/jfinal_cms/pull/44, and let me know your thoughts? Thanks.
您好,您的来信我已收到!谢谢! Best Wishes! ——孔祥亮
Description: Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the keyword text field under the publish blog module.
Fixed in any other branch? : Fix doesn't exist in any of the existing branches.
Rootcause: This vulnerability affects an unknown part of the Jfinal CMS component Publish Blog Module. The manipulation of the argument "keyword" with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-79. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. As an impact it is known to affect integrity. An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors.
Steps to reproduce:
Additional Findings:
Fix:
Unit Testing: