Skip to content

XSS vulnerability in u5cms version 8.3.5 #49

Closed
@1ue0v

Description

XSS vulnerability in u5cms version 8.3.5

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

When I access the default home page on the web, if the parameter passed in is /? "Onmouseover=%27tzgl (96502)%27bad=", it can be found that the passed in parameters appear in the href attribute of a tag in the page.

image

Then view the source code,you can find the entered parameters and their existence in the href attribute of the a tag

image

If the parameter passed in is a payload carefully constructed by the attacker, it may cause more serious HTML injection. And if possible, I strongly suggest you check more carefully whether the parameters entered by the user are legal when handling user input and output in the program.

Best wishes!

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions