| Title | linlinjava litemall ≤v1.8.0 Stored XSS |
|---|
| Description | A stored cross-site scripting (XSS) vulnerability exists in Litemall versions ≤ 1.8.0 at the /wx/storage/upload endpoint. The application does not validate file extensions when processing uploaded files, allowing attackers to upload executable files such as .html, .htm, or .pdf. These files are then served back to clients directly without any sanitization, resulting in stored XSS. |
|---|
| Source | ⚠️ https://github.com/linlinjava/litemall/issues/567 |
|---|
| User | ez-lbz (UID 87033) |
|---|
| Submission | 07/28/2025 07:26 (11 months ago) |
|---|
| Moderation | 08/08/2025 17:44 (11 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 319266 [linlinjava litemall up to 1.8.0 /wx/storage/upload File unrestricted upload] |
|---|
| Points | 19 |
|---|