Colorwork stored XSS vulnerability allows you to obtain permissions of other users (3 packages)
Previously, my friend reported that the XSS was fixed, but it was obvious that the XSS was fixed ......
Other Locations still have loose filtering and can be used to obtain permissions of other users.
I took the test the day after tomorrow. I would like to likes my character today. By the way, I am familiar with Tsinghua senior xuejie ~
(PS: In fact, I also tested the excessive permission for half a day. I thought there would always be so many places, but I didn't find 555)
The calendar, task, and signature are not filtered, resulting in stored XSS
Other partners will be recruited when they enter the team.
You can obtain a Cookie to hijack your account.
Solution:
#1. There should be a document in that place. Maybe your server has some problems, so you cannot open the webpage ......
#2. Filter dangerous characters.
#3. self-check! He fell twice in the same place.