| Title | ThinkSAAS 3.7.0 Cross Site Scripting |
|---|
| Description | The ThinkSAAS 3.7.0 application contains a storage XSS vulnerability caused by insufficient sanitization of user input. Specifically, the parameters site_title, site_subtitle, site_key, site_desc, site_url, site_email, and site_icp are not properly filtered for malicious code in app/system/action/do.php.
An attacker can exploit this issue by injecting malicious payloads into these parameters, leading to the execution of arbitrary JavaScript code in the context of the user's browser. |
|---|
| Source | ⚠️ https://github.com/thinksaas/ThinkSAAS/issues/36 |
|---|
| User | jiashenghe (UID 39445) |
|---|
| Submission | 07/12/2024 09:00 (2 years ago) |
|---|
| Moderation | 07/20/2024 11:45 (8 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 272063 [ThinkSAAS 3.7.0 app/system/action/do.php cross site scripting] |
|---|
| Points | 20 |
|---|