PESCMS-Ticket icon indicating copy to clipboard operation
PESCMS-Ticket copied to clipboard

Published 20 hours ago verified publisher icon lazyphp

Vulnerability Report: rXss

Open ShawRo0t opened this issue 1 year ago • 2 comments

I found a rXss vulnerability in the latest version of PESCMS Ticket, 'model_id' and 'back_url' input was not safely sanitized.

  • Impact: The attacker can execute a HTML/JS Code (the attacker can stealing cookies,etc..)
  • Environment: Windows 10/PHP 7.0.12
  • File path: Vulnerable files in './PESCMS-Ticket-master/Public/Theme/Ticket/Default/Field/Field_index.php' line 6
    $(function(){
        $("input[name=keyword]").after('<input type="hidden" name="model_id" value="<?=$_GET['model_id']?>"/><input type="hidden" name="back_url" value="<?=$_GET['back_url'] ?? ''?>"/>')
    })
  • POC: Field_index.php?model_id=") Field_index.php?back_url=")

ShawRo0t avatar Nov 21 '23 04:11 ShawRo0t

AFFECTED VERSION:<= v1.3.20

ShawRo0t avatar Jan 02 '24 01:01 ShawRo0t

感谢反馈,上述问题将于1.3.21版本修复。 Thank you, it will fix in v1.3.21

lazyphp avatar Jan 02 '24 03:01 lazyphp