Skip to content

[XSS!!]When modifying a written blog, you can modify the name of the uploaded picture to cause a stored XSS vulnerability #885

Open
@aq-xiaobai

Description

Affected pages: xxxxx/blog/

Execute malicious javascript code by modifying the name of the uploaded image to close the html tag or adding the onerror attribute.
yes:
2
no:
5

detailed steps:
After publishing a blog with uploaded pictures, click "Edit Blog Entry" to enter the modification page, open Burp Suit and then directly click "save", modify the content of image[file] in the request packet in Burp Suit as the attack code
payload:"onerror="alert(/xss/)
3
Any member browses the blog page:
4

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions