There is a storage XSS vulnerability in the guest TOP10 of jfinal_cms. TOP10 will display the ip of the user, but it can be modified by X-Forwarded-For, where the attacker can insert malicious XSS code. When the administrator logs in, the malicious XSS code triggers successfully.

payload: X-Forwarded-For: 192.168.1.1<script>alert ("xss")</script>

In the background login interface, enter the account password randomly, fill in the correct verification code, and then submit and grab the package.

The contents of the grab bag are as follows:

Add an X-Forwarded-For here and enter paylaod (192.168.1.1<script>alert ("xss")</script>)

Then log in with the background administrator account to trigger the storage XSS.

Safety advice:
Strictly filter the user's input
Strict control of page rendering content