127 Star 357 Fork 125

XiaoBingBy / TeaCMS

 / 详情

CVE update request: TeaCMS has XSS defects

Backlog
Opened this issue  
2023-03-09 11:47

When the title is added to the article published by ordinary users, the title format is not filtered, which can leak sensitive information. Users can publish articles titled <script>alert(document.cookie)</script>, which will cause user cookie leakage when accessed.
输入图片说明
缺陷代码位置:/admin/article-new.html
@RequestMapping(value = "/article-new.html")
public String articleNew(ModelMap modelMap) {
List allCategory = commonMapper.findAllCategory();
List allTag = commonMapper.findAllTag();
/** * 插入图片 */
List allImg = multimediaMapper.findAllImg(null);
PageInfo allImgInfo = new PageInfo(allImg);
modelMap.put("allCategory", allCategory);
modelMap.put("allTag", allTag);
modelMap.put("allImgInfo", allImgInfo.getList());
return "_admin/article/article_new"

Comments (3)

jacky created任务

作者大大请不要关闭 cve更新后 我会将其关闭

这种能申请CVE?

我想试一试 嘿嘿

jacky changed description

Sign in to comment

Status
Assignees
Milestones
Pull Requests
Successfully merging a pull request will close this issue.
Branches
Planed to start   -   Planed to end
-
Top level
Priority
参与者(2)
8674532 by yexing 1705565218
Java
1
https://gitee.com/xiaobingby/TeaCMS.git
git@gitee.com:xiaobingby/TeaCMS.git
xiaobingby
TeaCMS
TeaCMS

Search

344bd9b3 5694891 D2dac590 5694891