Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Wallos: Stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint
Vulnerability Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, a stored cross-site scripting (XSS) vulnerability in the payment method rename endpoint allows any authenticated user to inject arbitrary JavaScript that executes when any user visits the Settings, Subscriptions, or Statistics pages. Combined with the wallos_login authentication cookie lacking the HttpOnly flag, this enables full session hijacking. This issue has been patched in version 4.7.0.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
Wallos 跨站脚本漏洞
Vulnerability Description
Wallos是Miguel Ribeiro个人开发者的一个开源个人订阅跟踪器。 Wallos 4.7.0之前版本存在跨站脚本漏洞,该漏洞源于支付方式重命名端点存在存储型跨站脚本,可能导致任何经过身份验证的用户注入任意JavaScript,并在任何用户访问设置、订阅或统计页面时执行,结合缺少HttpOnly标志的wallos_login认证cookie,可能导致完整会话劫持。
CVSS Information
N/A
Vulnerability Type
N/A