Headline
CVE-2022-25585: Stored XSS exists · Issue #5 · union-home/unioncms
Unioncms v1.0.13 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Default settings.
1.The problem is in system settings - basic settings - default settings - third party code
write:<script>alert(1)</script> Save, open the home page and the XSS code will pop up
The problem is as follows:
2.Management background-content management-all management modules-add a piece of content-insert video in the content, write:img src="x" onerror="alert(1);"
Save, open the corresponding foreground article and background article will pop up XSS code
The problem is as follows: