| tiêu đề | https://github.com/1Panel-dev/CordysCRM CordysCRM v1.4.1 Stored XSS |
|---|
| Mô tả | The AnnouncementController component in CordysCRM v1.4.1 contains a stored cross-site scripting (XSS) vulnerability. This vulnerability stems from the addAnnouncement() method's failure to adequately validate or encode the content parameter when processing new announcement requests. A remote attacker could use the /announcement/add interface to submit announcement content containing malicious JavaScript code. This announcement could be viewed by any user, allowing an attack on any user on the system. When a designated user (such as an administrator or regular employee) views the announcement, the malicious script will execute in their browser environment. |
|---|
| Nguồn | ⚠️ https://github.com/1Panel-dev/CordysCRM/issues/2229 |
|---|
| Người dùng | DaytimeHeaven (UID 96977) |
|---|
| Đệ trình | 13/05/2026 12:37 (cách đây 22 ngày) |
|---|
| Kiểm duyệt | 01/06/2026 07:49 (19 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 367596 [1Panel-dev CordysCRM đến 1.6.2 RequestParamTrimConfig.java Tập lệnh chéo trang] |
|---|
| điểm | 20 |
|---|