Headline
CVE-2022-23367: fulusso DOM-based XSS
Fulusso v1.1 was discovered to contain a DOM-based cross-site scripting (XSS) vulnerability in /BindAccount/SuccessTips.js. This vulnerability allows attackers to inject malicious code into a victim user’s device via open redirection.
Vulnerability Report
target: fulusso version: 1.1
root cause
on front page React object, location.search query is parsed and used without any escape. When a victim succeeds login to the page from attacker’s link, malicious JS code can be injected and executed.
PoC
https://account.suuyuu.cn/login.html?ReturnUrl=javascript:alert(document.location)
this website is a demo site using fulusso which the authors provide.
login info id: 13111111111 pw: test1234
