After the administrator logged in, open the following page,which will add a classification.
test2.html---add a classification. Insert payload in the “type_en”.
The attacker sent the link to the administrator.
When the administrator logs in and opens the page, he will add a a classification. And the “english name” will be modified to malicious javascript payload.
Then the administrator's cookie will be send to the attacker. He will get the administrator's privileges!
After the administrator logged in, open the following page,which will add a classification.
test2.html---add a classification. Insert payload in the “type_en”.
Then, the “english name” will be modified to " onmouseover=alert(document.cookie) ".
We can see the result.
The attacker can use this vulnerability to obtain the administrator's cookie. Then he will get the administrator's privileges!
The text was updated successfully, but these errors were encountered: