XSS vulnerability2 in jfinal_cms 5.1.0

There is a stored XSS vulnerability in JFinal_cms 's publish blog module. An attacker could insert malicious XSS code into the content of the blog post. When users and administrators view the blog post, the malicious XSS code is triggered successfully.

First register a user to test, then go to the submit blog post page and insert malicious XSS code in the content field

Payload:`%3Cp%3Etest2%3C%2Fp%3E%3Cimg%20src%3D%22x%22%20onerror%3Dalert(document.cookie)%3E%3C%2Fp%3E`

Submit a blog post

![202207181056999](https://user-images.githubusercontent.com/58295122/179446610-6b189216-b752-416f-9ac6-5f8769d0651f.png)




Modification of data packages via Burp Suite

![202207181057741](https://user-images.githubusercontent.com/58295122/179446615-49bd871d-b9fe-4f85-b8ad-03446068dfc9.png)


Change the model.content field to Payload

![202207181103768](https://user-images.githubusercontent.com/58295122/179446627-4294b220-581b-4912-a62f-6a21cda0694d.png)


Successfully executed malicious XSS code:

![202207181104455](https://user-images.githubusercontent.com/58295122/179446638-faecefd4-fcc3-4da8-a3eb-877f54c0146c.png)
![202207181105864](https://user-images.githubusercontent.com/58295122/179446640-e9c38956-92b8-4907-ba5d-b41d00f9688c.png)




Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

XSS vulnerability2 in jfinal_cms 5.1.0 #46

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

XSS vulnerability2 in jfinal_cms 5.1.0 #46

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions