Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

EyouCMS v1.5.9 has multiple vulnerabilities, stored cross-site scripting (XSS) #31

Closed
h18192h opened this issue Oct 29, 2022 · 1 comment

Comments

@h18192h
Copy link

h18192h commented Oct 29, 2022

Version:V1.5.9-UTF8-SP1
图片1
1、Go to the background --> basic information--> the record number and public security record number, and click the code mode to modify to the code mode.
图片2
2、Construct the JS script at the record number.
图片3
3、Open the EyouCMS client.
图片4
4、Construct JS scripts on the PC side of the computer under the third-party code of the website.
图片5
5、Open the EyouCMS client.
图片6
6、Cross-site scripting attacks (XSS) also exist on mobile phones under the public security record number and third-party code of the website and Copyright Information.And the javascript in the copyright information will affect both the foreground and the administrator background.
图片7

@weng-xianhu
Copy link
Owner

已修复部分,有些输入框是需要填写js代码,比如:网站第三方统计代码,这里不能过滤掉js代码,还有些用户在版权输入框填写代码统计代码,各种神奇的操作都有。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants