KesionCMS存储型xss漏洞可打任意用户 - exploit database | Vulners.com
Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:94929
HistoryMay 23, 2014 - 12:00 a.m.

KesionCMS存储型xss漏洞可打任意用户

2014-05-2300:00:00
Root
www.seebug.org
8
JSON

简要描述:

KesionCMS存储型xss漏洞,可打任意用户

详细说明:

这里选择用KesionCMS官方体验地址http://demo.kesion.com/
该存储型xss漏洞存在于发送消息处
这里我们用bitcoin100向另外一个用户bitcoin发送消息,
发送消息时,在内容中插入xss代码
“><img src=”#">

<img src=“https://images.seebug.org/upload/201405/1909290837b1f177a77c7d2f8d0a4ae82a4669f8.jpg” alt=“1.jpg” width=“600”>

目标用户bitcoin查看消息即可成功触发

<img src=“https://images.seebug.org/upload/201405/19092925fe4fc041f799976a4b944efb05c68c28.jpg” alt=“2.jpg” width=“600”>

漏洞证明:

如上

JSON