Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There is a persistent XSS vulnerability #129

Open
Cass203 opened this issue Apr 18, 2018 · 0 comments
Open

There is a persistent XSS vulnerability #129

Cass203 opened this issue Apr 18, 2018 · 0 comments

Comments

@Cass203
Copy link

Cass203 commented Apr 18, 2018
edited
Loading

An issue was discovered in WUZHI CMS 4.1.0. There is a persistent XSS attacks vulnerability which allows remote attackers to inject arbitrary web script or HTML via the tag[tag] parameter post to the /index.php?m=tags&f=index&v=add&&_su=wuzhicms&_menuid=?&_submenuid=?

The attacker can add a new TAGS with the XSS payload after logining in as a website editor(a role whose privilege is lower than the administrator).
Exploit the vulnerability,a website editor can steal the cookies while the administrator browsing the TAGS Management and activate the XSS code .

POC:
default
Inject the XSS payload:<script>alert(/xss/)</script>
default
@Cass203 Cass203 changed the title There is a persistent XSS vulnerability that can steal the cookies of the administrator There is a persistent XSS vulnerability Apr 18, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Cass203