| タイトル | ghostxbh uzy-ssm-mall v1.0.0 Cross Site Scripting |
|---|
| 説明 | Vulnerability Description
uzy-ssm-mall v1.0.0 is vulnerable to Cross-Site Scripting (XSS) attacks. Due to the absence of an XSS filter in web.xml and the lack of input escaping mechanisms, attackers can inject malicious scripts at any input point, allowing the execution of arbitrary code in the user's browser. This vulnerability affects the entire site and may lead to severe consequences such as session hijacking and data leakage.
Vulnerability Location
web.xml
Code Audit Process
Vulnerability File Path / File Name: web.xml
Code Analysis:
The code does not utilize any XSS filters or escaping functions, such as htmlspecialchars or htmlentities.
No filtering or escaping is applied to user input at input points.
web.xml does not configure an XSS filter; only a login interception filter is configured.
POC (Proof of Concept)
Example of an input point:
http(s)://target-ip/mall/product?product_name=</title><script>alert(1)</script> |
|---|
| ソース | ⚠️ https://wiki.shikangsi.com/post/share/3cae2847-317e-47d6-8f2a-c6fbba301d8e |
|---|
| ユーザー | XingYue_Mstir (UID 72225) |
|---|
| 送信 | 2025年04月02日 11:57 (1 年 ago) |
|---|
| モデレーション | 2025年04月14日 00:36 (12 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 304601 [ghostxbh uzy-ssm-mall 1.0.0 /product product_name クロスサイトスクリプティング] |
|---|
| ポイント | 20 |
|---|