There is a stored XSS vulnerability in JFinal_cms 's publish blog module. An attacker could insert malicious XSS code into the content of the blog post. When users and administrators view the blog post, the malicious XSS code is triggered successfully.
First register a user to test, then go to the submit blog post page and insert malicious XSS code in the content field
There is a stored XSS vulnerability in JFinal_cms 's publish blog module. An attacker could insert malicious XSS code into the content of the blog post. When users and administrators view the blog post, the malicious XSS code is triggered successfully.
First register a user to test, then go to the submit blog post page and insert malicious XSS code in the content field
Payload:
%3Cp%3Etest2%3C%2Fp%3E%3Cimg%20src%3D%22x%22%20onerror%3Dalert(document.cookie)%3E%3C%2Fp%3E
Submit a blog post
Modification of data packages via Burp Suite
Change the model.content field to Payload
Successfully executed malicious XSS code: