Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS vulnerability in u5cms version 8.3.5 #49

Closed
Yu1e opened this issue Jun 4, 2022 · 0 comments
Closed

XSS vulnerability in u5cms version 8.3.5 #49

Yu1e opened this issue Jun 4, 2022 · 0 comments

Comments

@Yu1e
Copy link

Yu1e commented Jun 4, 2022

XSS vulnerability in u5cms version 8.3.5

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.

When I access the default home page on the web, if the parameter passed in is /? "Onmouseover=%27tzgl (96502)%27bad=", it can be found that the passed in parameters appear in the href attribute of a tag in the page.

image

Then view the source code,you can find the entered parameters and their existence in the href attribute of the a tag

image

If the parameter passed in is a payload carefully constructed by the attacker, it may cause more serious HTML injection. And if possible, I strongly suggest you check more carefully whether the parameters entered by the user are legal when handling user input and output in the program.

Best wishes!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants