Skip to content

Instantly share code, notes, and snippets.

@LockeTom

LockeTom/CVE-2025-60646.md

Last active October 21, 2025 01:56
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save LockeTom/0a02c0b2e2011abfbdf4e5fdbcc9b371 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save LockeTom/0a02c0b2e2011abfbdf4e5fdbcc9b371 to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2025-60646.md
Raw
CVE-2025-60646.md

CVE-2025-60646:stored cross-site scripting (XSS)

1、描述(Description)

xxl-api v1.3.0及以下版本,项目管理、数据类型管理、业务线管理及用户管理等模块存在跨站脚本攻击漏洞,以下仅展示业务线管理模块中的漏洞利用,其余模块均可参照此步骤复现(Xxl-api v1.3.0 and below, there are cross-site script attack vulnerabilities in modules such as project management, data type management, business line management and user management. The following only shows the exploit of vulnerabilities in the business line management module, and the rest of the modules can be reproduced by referring to this step. )

2、复现步骤(Steps to reproduce)

2.1、第一步(Step 1)

拉取最新的代码,本地部署运行。(Pull up the latest code and run it on-premises.)

2.2、第二步(Step 2)

登录系统后,在业务线管理模块中新增业务线操作,在业务线名称字段中插入xss的poc。(After logging in to the system, add a line of business operation to the Business Line Management module and insert the POC of XSS in the Business Line Name field.)

image

2.3、第三步(Step 3)

保存数据(Save data) image

2.4、第四步(Step 4)

进入业务线管理模块,触发poc(Go to the Business Line Management module and trigger the POC) image

4、产品(Product)

https://github.com/xuxueli/xxl-api

5、版本(Versions)

xxl-api ≤ v1.3.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment