Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Javascript Injection in Vending Info/Buyers Info Module in FluxCP
Vulnerability Description
FluxCP is a web-based Control Panel for rAthena servers written in PHP. A javascript injection is possible via venders/buyers list pages and shop names, that are currently not sanitized. This allows executing arbitrary javascript code on the user's browser just by visiting the shop pages. As a result all logged in to fluxcp users can have their session info stolen. This issue has been addressed in release version 1.3. All users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
FluxCP 安全漏洞
Vulnerability Description
FluxCP是rAthena开源的一个基于 web 的控制面板。用于用 PHP 编写的 rAntha 服务器。 FluxCP 1.3之前版本存在安全漏洞,该漏洞源于venders/buyers列表页面和商店名称未经过滤,允许执行任意javascript代码,这可以通过访问商店页面在用户的浏览器上实现,可能导致所有登录用户的会话信息被窃取。
CVSS Information
N/A
Vulnerability Type
N/A