Skip to content

Bug:V1.3.0 Cross Site Scripting Vulnerability #2

Open
@Richard1266

Description

@Richard1266

There is an Stored Cross Site Scripting vulnerability in your latest version of the CMS v1.3.0
Download link: "http://ahdx.down.chinaz.com/201901/bycms_v1.3.zip"
In the BYCMSv1.3.0\application\admin\controller\Document.php, No filtering to title in the edit( ) function:
1
Vulnerability trigger point
http://bycms/admin.php/document/index/module_id/9/group_id/7.html
1、Log in as admin
图片
2、Choose this part
图片
图片
图片
3、Modify content
图片
4、Edited the refresh vulnerability trigger point
图片
Fix:
Filter the title parameter

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions