czming123
commented
5 years ago not just in comment, the name can also insert xss payload to attack
Closed czming123 closed 5 years ago
czming123
commented
5 years ago not just in comment, the name can also insert xss payload to attack
Bug Report
I found stored-xss vulnerability in the website everywhere. I run the project in my environment with tomcat. In article comment editing , I insert some xss payload for my test. payload:
we can see the javascript payload is effective.
And then I test the name input, It also has the problem.
<img src=x onerror=alert(1) />When the admin user logins in the site in background, it also strikes in the website.