Headline
CVE-2022-36527: XSS vulnerability1 in jfinal_cms 5.1.0 · Issue #45 · jflyfox/jfinal_cms
Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the post title text field under the publish blog module.
There is a stored XSS vulnerability in JFinal_cms 's publish blog module. An attacker could insert malicious XSS code into the post title. When users and administrators view the blog post, the malicious XSS code is triggered successfully.
First register a user to test it, then go to the submit blog post page and insert the malicious XSS code in the subject field
Payload : test1" onmouseover="alert(document.cookie)
Successfully executed malicious XSS code:
Related news
Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the post title text field under the publish blog module.