XSS vulnerability exists in jfinal_cms V5.1.0

## Summary

There is XSS vulnerability below!
The reason for the vulnerability is that there is no filter on user input. According to the guidelines of CMS, We can create a user, and we can control the user's account number, password and email and so on.....

## Exploition
After, There are many ways to trigger the vulnerability! The one is that we can make a  comment and wait other users to click the user created by ourselves. The another one can get admin's secrect util admin login.

OK! We will create a user at first.
![image](https://user-images.githubusercontent.com/121624844/209973101-fee3b650-e7ad-4e3e-b1c4-d9fdf1ccc9d3.png)
Press the submit button, we get a alert below
![image](https://user-images.githubusercontent.com/121624844/209974238-daf55fa1-bb3b-44d3-b09c-22a8a6e45ff3.png)
we can create a normal user account via this way, and then we can update the information
![image](https://user-images.githubusercontent.com/121624844/209974598-2d39becd-3010-4a64-aaeb-dc5c616640ca.png)

![image](https://user-images.githubusercontent.com/121624844/209974823-4e23736d-8614-4fd7-9b8f-a35f641909ce.png)

After we update the user's information, wo would wait!
When the admin user login, we can get its secrect!
![image](https://user-images.githubusercontent.com/121624844/209975300-7cf69b95-f617-4834-8075-3d16062950ad.png)

![image](https://user-images.githubusercontent.com/121624844/209975423-b3091bf7-f6d7-445b-ad87-3f9c3d11315a.png)



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

XSS vulnerability exists in jfinal_cms V5.1.0 #53

Summary

Exploition

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

XSS vulnerability exists in jfinal_cms V5.1.0 #53

Description

Summary

Exploition

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions