target: fulusso version: 1.1
on front page React object, location.search query is parsed and used without any escape. When a victim succeeds login to the page from attacker's link, malicious JS code can be injected and executed.
https://account.suuyuu.cn/login.html?ReturnUrl=javascript:alert(document.location)
this website is a demo site using fulusso which the authors provide.
login info id: 13111111111 pw: test1234