जमा करें #849495: mjperpinosa stumasy 327d1b0f2915ba79d7ef8ebb74553e987609d9be Cross Site Scriptingजानकारी

शीर्षकmjperpinosa stumasy 327d1b0f2915ba79d7ef8ebb74553e987609d9be Cross Site Scripting
विवरणThe affected components are `application/PHP/objects/notes/add_into_dictionary.php`, `application/PHP/objects/notes/display_dictionary.php`, `application/PHP/classes/Notes_controller.php`, and `application/JS/notes.js`. Dictionary entries store user-controlled `reference` values and later render them into HTML without escaping: ```php $insert_definition_statement = $this->db_holder->prepare("INSERT INTO definitions VALUES (null, ?, ?);"); $insert_definition_statement->execute(array($definition, $reference)); ... $dictionary = $dictionary."<p>".nl2br(htmlentities($data[0]))."<br /> <span id='no_dictionary_added_by'>Added by: ".$data[2]."</span><br /> <span>Reference: ".$data[1]."</span> </p>"; ``` The client inserts the returned HTML with `.html(data)`: ```javascript $("#no_display_dictionary_container_div").html(data); ``` An authenticated attacker can store payloads such as `<svg/onload=alert()>` in the reference field. When another user views the dictionary entry, the payload executes in that user's browser.
स्रोत⚠️ https://github.com/mjperpinosa/stumasy/issues/8
उपयोगकर्ता
 cnluminous (UID 98136)
सबमिशन05/06/2026 04:51 PM (29 दिन पहले)
संयम04/07/2026 05:50 PM (29 days later)
स्थितिस्वीकृत
VulDB प्रविष्टि376341 [mjperpinosa stumasy तक 327d1b0f2915ba79d7ef8ebb74553e987609d9be add_into_dictionary.php add_definition reference क्रॉस साइट स्क्रिप्टिंग]
अंक20

Interested in the pricing of exploits?

See the underground prices here!