In the /YUNUCMSv1.1.8/app/admin/controller/System.php
The judgment code of the basic settings page is:
Pass in such a packet here
See the sys.php file to see that the site_title parameter has been changed.
The value in sys.php was taken directly in basic.html, resulting in a storage XSS vulnerability.
2.Steps To Reproduce:
Fix:
Strictly verify user input, you must perform strict checks and html escape escaping on all input scripts, iframes, etc.
The text was updated successfully, but these errors were encountered:
There is an Stored Cross Site Scripting vulnerability in your latest version of the CMS v1.1.8
Download link: "http://img.yunucms.com/o_1cvnmdq4igqv3i713iq183fu7qa.zip?attname="
In the /YUNUCMSv1.1.8/app/admin/controller/System.php




The judgment code of the basic settings page is:
Pass in such a packet here
See the sys.php file to see that the site_title parameter has been changed.
The value in sys.php was taken directly in basic.html, resulting in a storage XSS vulnerability.
2.Steps To Reproduce:



Fix:
Strictly verify user input, you must perform strict checks and html escape escaping on all input scripts, iframes, etc.
The text was updated successfully, but these errors were encountered: