Submeter #725384: Xinhu Xinhu OA V2.7.1 (earlier versions may also be affected) Stored Cross-Site Scripting (XSS)informação

TítuloXinhu Xinhu OA V2.7.1 (earlier versions may also be affected) Stored Cross-Site Scripting (XSS)
DescriçãoXinhu OA V2.7.1 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability within the "Notice and Announcement" (通知公告) module. The vulnerability exists in the rock_page_gong.php file, where the fengmian (cover image) parameter accepts user-supplied input without any security filtering or sanitization. An attacker can inject a malicious XSS payload into a notice. When other users view the reminder information in the "Personal Center" (个人中心), the payload is executed in the user's browser. This could lead to session hijacking, unauthorized actions, or the execution of malicious code. Advisory / Exploit Vulnerability Point: Notice and Announcement - Add New Notice Trigger Point: Personal Center - Reminder Information - View Vulnerable Code Snippet (rock_page_gong.php): JavaScript c.setcolumns('fengmian',{ renderer:function(v){ if(!v)return '&nbsp;'; // The variable 'v' is directly concatenated into the HTML string return '<img src="'+v+'" height="60">'; } }); Proof of Concept (POC): An attacker can submit the following POST request with a malicious payload in the fengmian parameter: HTTP POST /index.php?a=save&m=mode_news|input&d=flow&ajaxbool=true&rnd=98122 HTTP/1.1 Host: [Target_Host] Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Cookie: id=0&sxuanfileid=151&title=test&fengmian="x onerror="alert(1)"&typename=Security&... The injected onerror event triggers the JavaScript execution when the image fails to load. Company official website URL: http://www.rockoa.com/ Source code download address:http://www.rockoa.com/index.php?a=down&id=298
Utilizador
 BlackSpdier (UID 89912)
Submissão28/12/2025 11h05 (há 4 meses)
Moderação04/01/2026 18h56 (7 days later)
EstadoAceite
Entrada VulDB339493 [Xinhu Rainrock RockOA até 2.7.1 Cover Image rock_page_gong.php fengmian Script de Site Cruzado]
Pontos17

VoltarVisão GeralPróximo

Might our Artificial Intelligence support you?

Check our Alexa App!