bk-itsm icon indicating copy to clipboard operation
bk-itsm copied to clipboard

Published 20 hours ago verified publisher icon TencentBlueKing

申请单据页面存储型XSS漏洞

Open huangpixu opened this issue 5 days ago • 0 comments

版本信息:V2.7.3 安全影响:申请单据详情页面评论处存在存储型XSS,攻击者可通过该漏洞诱导系统用户访问第三方页面进而窃取用户敏感信息 复现过程: 1.模拟POST请求,/api/ticket/remark/ 创建评论接口,传入content内容为:”XSS POC“等a标签带链接

Image

2.点击对应评论的a标签,即可跳转对应的页面

Image

Image

huangpixu avatar Feb 20 '25 02:02 huangpixu