Headline
CVE-2022-32442: XSS vulnerability in u5cms version 8.3.5 · Issue #49 · u5cms/u5cms
u5cms version 8.3.5 is vulnerable to Cross Site Scripting (XSS). When a user accesses the default home page if the parameter passed in is http://127.0.0.1/? "Onmouseover=%27tzgl (96502)%27bad=", it can cause html injection.
XSS vulnerability in u5cms version 8.3.5
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.
When I access the default home page on the web, if the parameter passed in is /? "Onmouseover=%27tzgl (96502)%27bad=", it can be found that the passed in parameters appear in the href attribute of a tag in the page.
Then view the source code,you can find the entered parameters and their existence in the href attribute of the a tag
If the parameter passed in is a payload carefully constructed by the attacker, it may cause more serious HTML injection. And if possible, I strongly suggest you check more carefully whether the parameters entered by the user are legal when handling user input and output in the program.
Best wishes!