Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-29648: There is an xss vulnerability of HTTP header injection storage in jfinal_cms V5.1.0 · Issue #34 · jflyfox/jfinal_cms

A cross-site scripting (XSS) vulnerability in Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted X-Forwarded-For request.

CVE
#xss#vulnerability#web

There is a storage XSS vulnerability in the guest TOP10 of jfinal_cms. TOP10 will display the ip of the user, but it can be modified by X-Forwarded-For, where the attacker can insert malicious XSS code. When the administrator logs in, the malicious XSS code triggers successfully.

payload: X-Forwarded-For: 192.168.1.1<script>alert (“xss”)</script>

In the background login interface, enter the account password randomly, fill in the correct verification code, and then submit and grab the package.

The contents of the grab bag are as follows:

Add an X-Forwarded-For here and enter paylaod (192.168.1.1<script>alert (“xss”)</script>)

Then log in with the background administrator account to trigger the storage XSS.

Safety advice:
Strictly filter the user’s input
Strict control of page rendering content

Related news

GHSA-8rp2-j3vj-hgj4: Cross site scripting in Jfinal

A cross-site scripting (XSS) vulnerability in Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted X-Forwarded-For request.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907