ThinkCMF version 6.0.7 is vulnerable to Stored Cross-Site Scripting. More precisely, the component that manages the slideshows allows you to insert HTML tags and JavaScript code in the Name field.
Here are the steps to reproduce the issue.
A remote user tricks the logged in administrator into visiting a malicious site.
The administrator opens the page containing the CSRF payload, injecting the XSS payload into the Slideshow Management (幻灯片管理) page, in the Name (名称) field.
The administrator opens the Slideshow Management (幻灯片管理) page, clicks on Admin Page (管理页面) button and the stored payload is executed.
Note that with this issue a remote user can steal the administrator's session cookie (PHPSESSID).
ThinkCMF version 6.0.7 is vulnerable to Stored Cross-Site Scripting. More precisely, the component that manages the slideshows allows you to insert HTML tags and JavaScript code in the Name field.
Here are the steps to reproduce the issue.
Note that with this issue a remote user can steal the administrator's session cookie (PHPSESSID).
These are the PoCs I used.
Screenshots
Fig. 1: CSRF that contains an XSS payload
Fig.2: CSRF payload triggered
Fig. 3: XSS payload injected
Fig. 4: XSS triggered
Fig. 5: Reading the PHPSESSID cookie
The text was updated successfully, but these errors were encountered: