You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is a storage XSS vulnerability in the guest TOP10 of jfinal_cms. TOP10 will display the ip of the user, but it can be modified by X-Forwarded-For, where the attacker can insert malicious XSS code. When the administrator logs in, the malicious XSS code triggers successfully.
There is a storage XSS vulnerability in the guest TOP10 of jfinal_cms. TOP10 will display the ip of the user, but it can be modified by X-Forwarded-For, where the attacker can insert malicious XSS code. When the administrator logs in, the malicious XSS code triggers successfully.
payload: X-Forwarded-For: 192.168.1.1<script>alert ("xss")</script>
In the background login interface, enter the account password randomly, fill in the correct verification code, and then submit and grab the package.
The contents of the grab bag are as follows:
Add an X-Forwarded-For here and enter paylaod (192.168.1.1<script>alert ("xss")</script>)
Then log in with the background administrator account to trigger the storage XSS.
Safety advice:
Strictly filter the user's input
Strict control of page rendering content
The text was updated successfully, but these errors were encountered: