Open the pescms login interface, enter the user name and password, capture the package, obtain the "back_url" parameter,
splice the parameters, and enter the code after the parameters for testing, http://XXXX/?m=Login&a=index&back_url=%22%3E%3Cscript%3Ealert(1);% 3C / script% 3E, XSS vulnerability is found.
By checking the source code, "back_url" is not filtered
