Cross-site Scripting (XSS) - Stored in zoujingli/thinkadmin


Reported on

Sep 17th 2021


Stored XSS Content allows for the arbitrary execution of JavaScript

Proof of Concept

In Wechat management at feature 
- Reply rule management 
- Follow reply configuration 
- Default reply configuration 
- Follow automatic replies 

Save Reply text with payload : </titLe/</teXtarEa/</scRipt/--!>\x3csVg/<iMg SrC="x" oNeRRor="alert(1);">\x3e
XSS will trigger when reloading page or goto edit

Video PoC

Video PoC


This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back 2 years ago
邹景立 validated this vulnerability 2 years ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
2 years ago


HTML needs to be parsed during mobile phone preview. Only HTML executable script filtering can be done here.

2 years ago


I noticed this problem happened when the textarea tags were escaped by my payload rather than the mobile phone preview

2 years ago


I already know the problem. Now I'm going to XSS filter the submitted data and delete the on* and script of all elements.

2 years ago


Execute the following command to resolve the problem:

composer update

php think xadmin:install wechat

邹景立 marked this as fixed with commit c1d724 2 years ago
邹景立 has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation