CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

CVE-2023-6905

CVE-2023-6903

CVE-2023-6904

CVE-2023-3907

A stored cross-site scripting (XSS) vulnerability in TPCMS v3.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Phone text box.

Logging into the management system of tpcms v3.2 (admin/admin888), in the "System Settings"-"Site Configuration"-"Bottom Information"(or "Phone"), entering XSS payload and save it. Open the front-site and you can see the pop-up window caused by the XSS payload.

URL:  
http://IP/index.php/Admin/Index/index.html

Payload:

<script>alert('hello ');</script>

![Image description](https://images.gitee.com/uploads/images/2021/0702/142201_d77d842b_9371028.png "1.png")

![Image description](https://images.gitee.com/uploads/images/2021/0702/142221_8dda90de_9371028.png "2.png")

![Image description](https://images.gitee.com/uploads/images/2021/0702/142231_bc642a93_9371028.png "3.png")

![Image description](https://images.gitee.com/uploads/images/2021/0702/142239_d220979b_9371028.png "3_1.png")

This vulnerability can be used in conjunction with the XSS platform. The attacker enters the malicious payload in the corresponding text box. Whenever the visitor visits the TPCMS, the visitor's information can be sent to the XSS platform.It can be used to Phising or something else.

![Image description](https://images.gitee.com/uploads/images/2021/0702/142249_90ef59c2_9371028.png "4.png")

Headline

CVE-2022-27441: XSS storage vulnerability exists in tpcms v3.2 management system · Issue #I3YUCJ · 快乐源泉/tpcms - Gitee.com

CVE: Latest News