The information at the bottom of the homepage exists in stored xss

[ss122-0ss]

System settings exist storage type xss

• Exploit Title: System settings exist storage type xss
• Vendor Homepage: https://www.emlog.net/
• Software Link: https://github.com/emlog/emlog
• Version: pro2.3

1、Write payload in the information at the bottom of the homepage

2、The vulnerability can be triggered when viewing article content on the home page

Burpsuite packet capture analysis, payload is located in the footer_info parameter

burpsuite抓包分析,payload位于footer_info参数中

Code: Line 154 in admin/setting, when the parameter is save, footer_info is accepted

代码：位于admin/setting中的154行，当参数为save时，接受footer_info

The filtering function is function postStrVar(), located in line 19 of input.php. It strictly filters the input characters, leading to stored xss attacks.

过滤函数为function postStrVar(),位于input.php中19行，为对输入的字符进行严格过滤，导致存储xss攻击

[emlog]

Thanks for your feedback, but this isn't an issue in our opinion.