| Название | DedeCMS V5.7.116 Cross Site Scripting |
|---|
| Описание | Summary
A stored XSS vulnerability has been identified in DedeCMS V5.7.116.
Attackers can exploit this vulnerability by maliciously inserting an XSS payload in the comment section during the purchase of goods.
Details
The vulnerability is located in the file plus/carbuyaction.php. Our analysis indicates that all parameters are passed through the RemoveXSS method.
However, our payload can bypass the RemoveXSS method's filtering for XSS vulnerabilities, thus any script that relies solely on the RemoveXSS method to filter parameter values and displays these values on the page is vulnerable.
Steps
The attacker, posing as a regular user, purchases goods and adds a malicious comment.
An administrator opens the order details in the backend, triggering the stored XSS vulnerability. |
|---|
| Источник | ⚠️ https://github.com/Hebing123/cve/issues/79 |
|---|
| Пользователь | jiashenghe (UID 39445) |
|---|
| Представление | 28.11.2024 04:04 (2 лет назад) |
|---|
| Модерация | 04.12.2024 17:31 (7 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 286905 [DedeCMS 5.7.116 HTTP POST Request /plus/carbuyaction.php RemoveXSS межсайтовый скриптинг] |
|---|
| Баллы | 20 |
|---|