Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') In /comment
[Suggested description]
blog-ssm v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /comment. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the notifyInfo parameter.
[Vulnerability Type]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') In /comment
[Suggested description]
blog-ssm v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /comment. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the notifyInfo parameter.
[Vulnerability Type]
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
[Vendor of Product]
https://github.com/rawchen/blog-ssm
[Affected Product Code Base]
1.0
[Affected Component]
blog-ssm 1.0
OS: Windows/Linux/macOS
Browser: Chrome、Firefox、Safari
[Attack Vector]
Step1:Registered account, username: text123, password: 123456.
Step2:Log in to the account you just registered and click "File Management".
Step3:Click any article on the homepage and enter malicious Javascript code in the comment area.
Data Pack:
Step4:Visit the article again to trigger a stored XSS attack.
[Attack Type]
Remote
[Impact Code execution]
True
[Reference(s)]
https://cwe.mitre.org/data/definitions/79.html
The text was updated successfully, but these errors were encountered: