There is a storage xss in the add module of friendly links in Taocms3.0.2.

- Payload: `<script>alert(documnet.cookie)</script>`

Click on the left link module, and then click add

![image](https://user-images.githubusercontent.com/54017627/154786428-41124deb-b509-44b3-bb2f-83862ca41756.png)


Enter our payload and click submit

<img alt="image" src="https://user-images.githubusercontent.com/54017627/154786317-69aae8cb-2a39-4853-b971-3b2e89dc51dd.png">

Found that payload has been executed

<img alt="image" src="https://user-images.githubusercontent.com/54017627/154786297-474e25d9-8bc2-49b1-8c88-e3f40989186e.png">


Back to the home page, because it is a friendly link, the front desk is also affected.

![image](https://user-images.githubusercontent.com/54017627/154786394-e24bd584-6dcd-4faa-9ba3-c3e7ec379bd3.png)



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

There is a storage xss in the add module of friendly links in Taocms3.0.2. #30

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

There is a storage xss in the add module of friendly links in Taocms3.0.2. #30

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions