Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-39428: There is a vulnerability in eyuCMS v1.5.4 could cause Cross site Scripting(XSS) · Issue #14 · weng-xianhu/eyoucms

Cross Site Scripting (XSS) vulnerability in Users.php in eyoucms 1.5.4 allows remote attackers to run arbitrary code and gain escalated privilege via the filename for edit_users_head_pic.

CVE
Open in Source
#xss#vulnerability#php

In /application/user/controller/Users.php

After receiving the post data sent by Ajax at line 1333, there is no $head_ pic_ URL is used for filtering. This parameter is the URL address after the avatar is uploaded successfully
At line 1345, the database is directly brought in for storage and update, and it is directly spliced as a legal URL link and output in the SRC attribute of img

In other words, by intercepting the post request sent by the Ajax cache, modifying the URL link of the uploaded avatar can create a stored XSS, and the XSS code can be triggered in the background

Intercept Ajax packets when uploading avatars on the user page, and change the parameter filename to XSS payload

The XSS payload can be stored in the database and executed

XSS payload can be executed when admin visits the user center page

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE