Headline
CVE-2021-36545: XSS storage vulnerability exists in tpcms v3.2 management system · Issue #I3YUCJ · 快乐源泉/tpcms - Gitee.com
Cross Site Scripting (XSS) vulnerability in tpcms 3.2 allows remote attackers to run arbitrary code via the cfg_copyright or cfg_tel field in Site Configuration page.
Logging into the management system of tpcms v3.2 (admin/admin888), in the “System Settings”-“Site Configuration”-“Bottom Information”(or “Phone”), entering XSS payload and save it. Open the front-site and you can see the pop-up window caused by the XSS payload.
URL:
http://IP/index.php/Admin/Index/index.html
Payload:
<script>alert('hello ');</script>
This vulnerability can be used in conjunction with the XSS platform. The attacker enters the malicious payload in the corresponding text box. Whenever the visitor visits the TPCMS, the visitor’s information can be sent to the XSS platform.It can be used to Phising or something else.