The plugin does not escape some of its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
Put the following payload in the 本地文件夹 or URL前缀 settings of the plugin: " style=animation-name:rotation onanimationstart=alert(/XSS/) b=
CPE | Name | Operator | Version |
---|---|---|---|
sync-qcloud-cos | lt | 2.0.1 |