New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS(Stored) in MineWebCMS_v1.7.0 #123
Comments
|
Hello, |
|
Hi,friend |
|
And what informations can you get that you don't already have via the admin account? |
|
Hi, |
|
Are these security vulnerabilities fixed? |
Affected software:MineWebCMS_v1.7.0
Type of vulnerability: XSS (Stored)
Discovered by: Ryan0lb
details:





Open this url “http://127.0.0.1/admin/“ and login in
and Click the "Customization" and view the News
we can add a new article
We can control this parameter via "title",and we can insert the payload:"<script>alert("test")</script>" in title
finally,submit!
The malicious javascript payload executed for it successlly
and open the article's url:"http://127.0.0.1/blog/1-php",The malicious javascript payload executed for it successlly too
Without any filtering on publish the article, we can easily trigger malicious XSS Payload and attack every visitor maliciously.
The text was updated successfully, but these errors were encountered: