Headline
CVE-2022-29648: There is an xss vulnerability of HTTP header injection storage in jfinal_cms V5.1.0 · Issue #34 · jflyfox/jfinal_cms
A cross-site scripting (XSS) vulnerability in Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted X-Forwarded-For request.
There is a storage XSS vulnerability in the guest TOP10 of jfinal_cms. TOP10 will display the ip of the user, but it can be modified by X-Forwarded-For, where the attacker can insert malicious XSS code. When the administrator logs in, the malicious XSS code triggers successfully.
payload: X-Forwarded-For: 192.168.1.1<script>alert (“xss”)</script>
In the background login interface, enter the account password randomly, fill in the correct verification code, and then submit and grab the package.
The contents of the grab bag are as follows:
Add an X-Forwarded-For here and enter paylaod (192.168.1.1<script>alert (“xss”)</script>)
Then log in with the background administrator account to trigger the storage XSS.
Safety advice:
Strictly filter the user’s input
Strict control of page rendering content
Related news
A cross-site scripting (XSS) vulnerability in Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted X-Forwarded-For request.