Dcat Admin v2.2.0-beta There is an xss cross-site scripting vulnerability exists /admin/auth/menu&&/admin/auth/extensions

[taynes-llllzt]

Build the source code locally by downloading
And I deploy the source code in the local environment, set the domain name to www.test.com/admin, equivalent to localhost/admin
The vulnerability exists: www.test.com/admin/auth/menu
Visit url:www.test.com/admin to login, username and password default to admin,admin

After entering the background, click admin,menu

Fill in payload<script>alert("1");</script>in the Title field of the NEW module,and click the submit button, and you will find that a pop-up window will appear every time you click on this menu option you created, and you will find that it is a storage type xss.



Pop-ups appear every time you click on a menu option you create


点击admin,extensions然后点击quick create,在name中写入payload<script>alert("1");</script>,然后点击submit,发现会出现弹窗,此处也存在xss



This is v2.2.2-beta, and the same xss vulnerability appears in v2.2.2-beta.