Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
您好: 我是360代码卫士的工作人员,在我们的开源项目的代码审计中发现jeesns存在xss漏洞,详细信息如下: 在CkeditorUploadController.java文件的32行处获取了请求中的CKEditorFuncNum参数,最后在41行处输出在页面上导致了xss漏洞。 虽然项目中存在xss拦截器 但是由于只对script标签内的字符做了过滤,而此处的xss并不需要利用script标签,因为上下文中已经有了。CKEditorFuncNum=");prompt(1);
虽然是post请求的反射型xss,但是还是能结合csrf进行攻击
The text was updated successfully, but these errors were encountered:
修复BUG 反射型xss #8
def9c91
已处理,多谢
Sorry, something went wrong.
55ea802
No branches or pull requests
您好:


我是360代码卫士的工作人员,在我们的开源项目的代码审计中发现jeesns存在xss漏洞,详细信息如下:
在CkeditorUploadController.java文件的32行处获取了请求中的CKEditorFuncNum参数,最后在41行处输出在页面上导致了xss漏洞。
虽然项目中存在xss拦截器
但是由于只对script标签内的字符做了过滤,而此处的xss并不需要利用script标签,因为上下文中已经有了。CKEditorFuncNum=");prompt(1);
虽然是post请求的反射型xss,但是还是能结合csrf进行攻击
The text was updated successfully, but these errors were encountered: