Headline
CVE-2022-38545: A XSS bug that can execute code(用户恶意修改 评论 的ua可触发XSS执行代码) · Issue #400 · xCss/Valine
Valine v1.4.18 was discovered to contain a remote code execution (RCE) vulnerability which allows attackers to execute arbitrary code via a crafted POST request.
可复现问题的步骤 The steps to reproduce.****The latest version of valine is 1.4.18****First select a page to test : https://valine.js.org/hexo.html
Capture the packet then modify the post of the packet and sent
below payload will make the comments look normal and allows code execution,Google Chrome and Firefox will all be attacked.
It work
The alarm information is related to other failed test codes. Please ignore it****可复现问题的网页地址 A minimal demo
https://valine.js.org/
https://valine.js.org/hexo.html
http://luckyzmj.cn/posts/1d6f1579.html
maybe all websites which is using the project will be influenced
受影响的Valine版本、操作系统,以及浏览器信息 Which versions of Valine, and which browser / OS are affected by this issue?
Valine1.4.18
win10
Google Chrome and Firefox
Related news
Valine was discovered to contain a remote code execution (RCE) vulnerability which allows attackers to execute arbitrary code via a crafted POST request.