| Title | ghostxbh uzy-ssm-mall v1.0.0 Cross Site Scripting |
|---|
| Description | Vulnerability Description
uzy-ssm-mall v1.0.0 is vulnerable to Cross-Site Scripting (XSS) attacks. Due to the absence of an XSS filter in web.xml and the lack of input escaping mechanisms, attackers can inject malicious scripts at any input point, allowing the execution of arbitrary code in the user's browser. This vulnerability affects the entire site and may lead to severe consequences such as session hijacking and data leakage.
Vulnerability Location
web.xml
Code Audit Process
Vulnerability File Path / File Name: web.xml
Code Analysis:
The code does not utilize any XSS filters or escaping functions, such as htmlspecialchars or htmlentities.
No filtering or escaping is applied to user input at input points.
web.xml does not configure an XSS filter; only a login interception filter is configured.
POC (Proof of Concept)
Example of an input point:
http(s)://target-ip/mall/product?product_name=</title><script>alert(1)</script> |
|---|
| Source | ⚠️ https://wiki.shikangsi.com/post/share/3cae2847-317e-47d6-8f2a-c6fbba301d8e |
|---|
| User | XingYue_Mstir (UID 72225) |
|---|
| Submission | 04/02/2025 11:57 (1 Year ago) |
|---|
| Moderation | 04/14/2025 00:36 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 304601 [ghostxbh uzy-ssm-mall 1.0.0 /product product_name cross site scripting] |
|---|
| Points | 20 |
|---|