[security vulnerability] Reflective XSS when view the survey result

Question

[security vulnerability] Reflective XSS when view the survey result

niro001 opened this issue 5 years ago · 1 comments

There is a Reflective XSS vulnerability when user view the survey result. The failure of the XSS filter to work properly resulted in this vulnerability， which allows remote attackers to inject arbitrary web script or stole admin's or other users cookies. The impact of the problem is serious especially when combined with CSRF vulnerability exploitation.

Vulnerability file:
/diaowen/design/qu-multi-fillblank!answers.action

PoC:
/diaowen/design/qu-multi-fillblank!answers.action?quItemId=2c9790db6c74f25f016c7536aed90022&surveyId=2c9790db6c74f25f016c7"><scr<script>ipt>alert('XSS');</script 200

Answer 1 · 2020-04-22T11:38:01.000Z

@wkeyuan has this issue been addressed?
Please note that CVE-2019-15095 was assigned.