提出 #442037: 贵州觅新科技有限公司 115cms v8 20240807 Cross Site Scripting情報

タイトル贵州觅新科技有限公司 115cms v8 20240807 Cross Site Scripting
説明Summary 115cms v8 version 20240807 is affected by multiple reflected Cross-Site Scripting (XSS) vulnerabilities. These vulnerabilities occur due to insufficient input validation and sanitation, allowing attackers to inject malicious scripts into web pages that are then executed in the browsers of other users. Details This is the affected template file: /app/admin/view/web_user.html /app/admin/view/web_file.html /app/admin/view/web_set.html /app/admin/view/web_useradmin.html /app/admin/view/web_appurladd.html /app/setpage/view/admin/pageAE.html The vulnerabilities exist due to the improper handling of the ks and tid parameters. These parameters are directly concatenated into the HTML output without proper sanitization, allowing an attacker to inject arbitrary JavaScript code. POC For each of the identified endpoints, an attacker can exploit the vulnerability by injecting a malicious script via the respective parameter. Below are the URLs with crafted payloads that demonstrate the reflected XSS: http://target-ip/index.php/admin/web/user.html?ks=%22%3E%3Cscript%3Ealert(1)%3C/script%3E http://target-ip/index.php/admin/web/file.html?ks=%22%3E%3Cscript%3Ealert(1)%3C/script%3E http://target-ip/index.php/admin/web/set.html?type=%22%3E%3Cscript%3Ealert(1)%3C/script%3E http://target-ip/index.php/admin/web/useradmin.html?ks=%22%3E%3Cscript%3Ealert(1)%3C/script%3E http://target-ip/index.php/admin/web/appurladd.html?tid=%22%3E%3Cscript%3Ealert(1)%3C/script%3E http://target-ip/index.php/setpage/admin/pageAE.html?tid=%22%3E%3Cscript%3Ealert(1)%3C/script%3E Impact If a administrator accesses the malicious url, the cookie may be obtained by an attacker.
ソース⚠️ https://github.com/Hebing123/cve/issues/70
ユーザー
 jiashenghe (UID 39445)
送信2024年11月12日 10:23 (1 年 ago)
モデレーション2024年11月20日 09:26 (8 days later)
ステータス承諾済み
VulDBエントリ285508 [115cms 迄 20240807 pageAE.html tid クロスサイトスクリプティング]
ポイント20

概要

Might our Artificial Intelligence support you?

Check our Alexa App!