Books_Manager XSS

Vulnerability Introduction

controllers/books_center/add_book_check.php interface has an XSS storage vulnerability, where attackers can pass in the product name (i.e. mark parameter) to cause the server to execute JS code, resulting in an XSS storage vulnerability

Vulnerability analysis

Vulnerability class file: Books_Manager/books_center/add_book_check.php

Receiving the mark parameter in the add_book_check.php and directly updating it to the database without verifying the incoming content, there is an XSS storage vulnerability

Vulnerability reproduction

After entering the following code in the product name and clicking the submit button, it was found that the JS code was successfully executed.