You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description:
The library name can be modified in the general settings section of the backend homepage.
Due to the lack of filtering of input user content in the code, executable JavaScript code can be executed. As the modified part is the website title, the code will be triggered every time it is accessed, resulting in a storage based XSS vulnerability.
An attacker can write XSS statements to obtain user information (cookies, etc.) that visits the website.
The text was updated successfully, but these errors were encountered:
PwnCYN
changed the title
YXBOOKCMS Vulnerability Testing
YXBOOKCMS Stored XSS
Oct 20, 2023
Product Name:
YXBOOKCMS
Affect version:
1.0.2
Case Address:
https://down.chinaz.com/soft/37726.htm (Program download address)
https://www.ys-bs.com/ (The website address has been hacked)
Vulnerability Type:
Stored XSS
Description:
![3](https://private-user-images.githubusercontent.com/147542481/276949974-ee35a82c-0301-4cd9-bf7c-e0c790ee2eae.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA2NTQ3MjcsIm5iZiI6MTcyMDY1NDQyNywicGF0aCI6Ii8xNDc1NDI0ODEvMjc2OTQ5OTc0LWVlMzVhODJjLTAzMDEtNGNkOS1iZjdjLWUwYzc5MGVlMmVhZS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzEwJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcxMFQyMzMzNDdaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT03OGQ2NmM5NDBiY2Q0ZDc0MzhmZjFhOTE2YTczYTYxYjk1YWFlZWI4NmIwY2Q3ZjI2YWVmNjc4ZmI1OTQ2ZjRlJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.aUQdP1erqB3EYqKWjsj4402JuXnDSohvSqbRM-z7fIY)
The library name can be modified in the general settings section of the backend homepage.
Due to the lack of filtering of input user content in the code, executable JavaScript code can be executed. As the modified part is the website title, the code will be triggered every time it is accessed, resulting in a storage based XSS vulnerability.
![1](https://private-user-images.githubusercontent.com/147542481/276949687-ef7f4ce9-0d8a-4a62-9b55-734a93306f9c.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA2NTQ3MjcsIm5iZiI6MTcyMDY1NDQyNywicGF0aCI6Ii8xNDc1NDI0ODEvMjc2OTQ5Njg3LWVmN2Y0Y2U5LTBkOGEtNGE2Mi05YjU1LTczNGE5MzMwNmY5Yy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzEwJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcxMFQyMzMzNDdaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1iOWJjMWNjNGNjOTc4YjJjMzVlODExMTMzN2NkZGMxNTRiMWI2OGUwZjczZTBhMmY3NzIxNjI2MTAwYjRmNGUwJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.1MVfl6ipM3bNS4J6B-SOtgDzoJgzQl5iDogcfiJ9iq4)
![4](https://private-user-images.githubusercontent.com/147542481/276950546-739ef756-d607-4e43-b7cb-d3cb30ea7df2.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA2NTQ3MjcsIm5iZiI6MTcyMDY1NDQyNywicGF0aCI6Ii8xNDc1NDI0ODEvMjc2OTUwNTQ2LTczOWVmNzU2LWQ2MDctNGU0My1iN2NiLWQzY2IzMGVhN2RmMi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjQwNzEwJTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI0MDcxMFQyMzMzNDdaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1lNzhhOWY1NzhiNzk4NDc1MzFlNjhkM2Q2MWJiNzYxMDEwMjE5MjJiZGMzNzA2ZjFlYWM0NTljZDdmNjI4YjMxJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCZhY3Rvcl9pZD0wJmtleV9pZD0wJnJlcG9faWQ9MCJ9.yiey1QX-Gzae-vFCYPE2T9x-74374twk19I7FoMjBFE)
An attacker can write XSS statements to obtain user information (cookies, etc.) that visits the website.
The text was updated successfully, but these errors were encountered: