This open source system is a student information management system. There was an insecurity vulnerability in the announcement. Attackers can use this vulnerability to implement cross-site scripting attacks on website visitors, such as "cookie theft" and "browser escape".
POST: http://localhost:8081/sims/addNotifyServlet
[Suggested description]
This open source system is a student information management system. There was an insecurity vulnerability in the announcement. Attackers can use this vulnerability to implement cross-site scripting attacks on website visitors, such as "cookie theft" and "browser escape".
POST: http://localhost:8081/sims/addNotifyServlet
[Vulnerability Type]
Relative Path Traversal
[Vendor of Product]
https://github.com/rawchen/sims
[Affected Product Code Base]
1.0
[Affected Component]
Sims 1.0
OS: Windows/Linux/macOS
Browser: Chrome、Firefox、Safari
[Attack vector]
[Attack Type]
Remote
[Impact Code execution]
False
[Proof of concept]
Step1: Select "Announcement List" under the "System Management" tab, fill in the constructed payload into the input box, and publish it.
Step2: When accessing the bulletin, the vulnerability is triggered
[Reference(s)]
http://cwe.mitre.org/data/definitions/79.html
The text was updated successfully, but these errors were encountered: