Cross-site Scripting (XSS) - Reflected in zoujingli/thinkadmin


Reported on

Aug 25th 2021

✍️ Description

The Application is Vulnerable to reflected XSS Attack.

🕵️‍♂️ Proof of Concept

Open the following page in the browser as admin. The 商品名称 field is vulnerable to reflected XSS. An alert box is displayed as PoC.

💥 Impact

Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then impersonate that user.

Furthermore, JavaScript can read and make arbitrary modifications to the contents of a page being displayed to a user. Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities for an attacker.


We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back 2 years ago
邹景立 validated this vulnerability 2 years ago
Melbin Mathew Antony has been awarded the disclosure bounty
The fix bounty is now up for grabs
邹景立 marked this as fixed with commit 296380 2 years ago
邹景立 has been awarded the fix bounty
This vulnerability will not receive a CVE
2 years ago


Test after composer update.

to join this conversation