jeewx-boot icon indicating copy to clipboard operation
jeewx-boot copied to clipboard

Published 20 hours ago verified publisher icon jeecgboot

Jeewx-Boot-v1.3-Storage XSS

Open Al1ex opened this issue 3 years ago • 0 comments

Information

Exploit Title:Jeewx-Boot-v1.3-Storage XSS
Exploit date:01.06.2021
Exploit Author:Al1ex@Heptagram
Vendor Homepage:https://github.com/zhangdaiscott/jeewx-boot
Affect Version:Jeewx-Boot-v1.3
Description:The background voting function module of jeewx-boot-v1.3 allows users to import data through templates, but does not filter the data strictly. An attacker can construct an excel with massive data and insert a malicious payload, and then cheat the administrator to import the Excel to trigger malicious XSS code.

How to Exploit

Step 1:download templates Step 2:Insert malicious payload into template image Step 3:Then cheat the administrator to import the template application image The malicious payload was successfully executed image

Suggestion

Encode the output content entity

Al1ex avatar Jun 01 '21 07:06 Al1ex