Headline
CVE-2023-27090: CVE update request: TeaCMS has XSS defects · Issue #I6L9Z2 · XiaoBingBy/TeaCMS - Gitee.com
Cross Site Scripting vulnerability found in TeaCMS storage allows attacker to cause a leak of sensitive information via the article title parameter.
When the title is added to the article published by ordinary users, the title format is not filtered, which can leak sensitive information. Users can publish articles titled <script>alert(document.cookie)</script>, which will cause user cookie leakage when accessed.
缺陷代码位置:/admin/article-new.html
@RequestMapping(value = “/article-new.html”)
public String articleNew(ModelMap modelMap) {
List allCategory = commonMapper.findAllCategory();
List allTag = commonMapper.findAllTag();
/** * 插入图片 */
List allImg = multimediaMapper.findAllImg(null);
PageInfo allImgInfo = new PageInfo(allImg);
modelMap.put("allCategory", allCategory);
modelMap.put("allTag", allTag);
modelMap.put("allImgInfo", allImgInfo.getList());
return “_admin/article/article_new”