Headline
CVE-2020-20070: [security vulnerability] Reflective XSS when view the survey result · Issue #48 · wkeyuan/DWSurvey
Cross Site Scripting vulnerability found in wkeyuan DWSurvey 1.0 allows a remote attacker to execute arbitrary code via thequltemld parameter of the qu-multi-fillblank!answers.action file.
There is a Reflective XSS vulnerability when user view the survey result. The failure of the XSS filter to work properly resulted in this vulnerability, which allows remote attackers to inject arbitrary web script or stole admin’s or other users cookies. The impact of the problem is serious especially when combined with CSRF vulnerability exploitation.
Vulnerability file:
/diaowen/design/qu-multi-fillblank!answers.action
PoC:
/diaowen/design/qu-multi-fillblank!answers.action?quItemId=2c9790db6c74f25f016c7536aed90022&surveyId=2c9790db6c74f25f016c7"><scr<script>ipt>alert(‘XSS’);</script 200