Jeewx-Boot-v1.3-Storage XSS

## Information
```
Exploit Title:Jeewx-Boot-v1.3-Storage XSS
Exploit date:01.06.2021
Exploit Author:Al1ex@Heptagram
Vendor Homepage:https://github.com/zhangdaiscott/jeewx-boot
Affect Version:Jeewx-Boot-v1.3
Description:The background voting function module of jeewx-boot-v1.3 allows users to import data through templates, but does not filter the data strictly. An attacker can construct an excel with massive data and insert a malicious payload, and then cheat the administrator to import the Excel to trigger malicious XSS code.
```
## How to Exploit
Step 1：download templates
Step 2：Insert malicious payload into template
![image](https://user-images.githubusercontent.com/38161463/120284520-e8487600-c2ee-11eb-882f-0e033c45a1e5.png)
Step 3：Then cheat the administrator to import the template application
![image](https://user-images.githubusercontent.com/38161463/120284551-f1394780-c2ee-11eb-8cb6-7bbd3b5865d4.png)
The malicious payload was successfully executed
![image](https://user-images.githubusercontent.com/38161463/120284601-fdbda000-c2ee-11eb-9d3d-e8f50945fbbd.png)

## Suggestion
Encode the output content entity



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Jeewx-Boot-v1.3-Storage XSS #33

Information

How to Exploit

Suggestion

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Jeewx-Boot-v1.3-Storage XSS #33

Description

Information

How to Exploit

Suggestion

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions