Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36583: Dedecms V5.7.97 contain an XSS vulnerability_1erkeU的博客-CSDN博客

DedeCMS V5.7.97 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities at /dede/co_do.php via the dopost, rpok, and aid parameters.

CVE
#xss#vulnerability#php

Dedecms V5.7.97 contain an XSS vulnerability

1erkeU 于 2022-07-19 22:44:33 发布 551 收藏

版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。

DedeCMS V5.7.97 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component /dede/co_do.php via the dopost, rpok, aidparameters.****Abstract

  • Affected product: DedeCMS V5.7.97
  • Attack type: Remote
  • Affected component: /dede/co_do.php
  • payload: dopost=replace&rpok=1&aid=’><scrIpt>alert(1)</script>\

Detail

/dede/co_ do.php line 156, the $aid variable in the ShowMsg() function is controllable. The $aid variable is obtained from $_GET[‘aid’].

/include/common.func.php line 280, the $aid variable is a $gourl variable in the ShowMsg() function.

/include/common.func.php line 326 and line 321, $gourl variables are spliced into $msg variables and output without filtering.

Recurrence

http://127.0.0.1/dede/co_do.php?dopost=replace&rpok=1&aid=%27%3E%3CscrIpt%3Ealert(666)%3C/script%3E

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907