We found results for “


Date: October 14, 2022


In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3beta are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the 'Normal Upload' functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker will get access to the admin’s cookie leading to account takeover


The "Gin-Vue-Admin" application is affected by "Unrestricted File Upload" vulnerability, where a low privilege user can upload a HTML that contains a malicious Javascript code to the Media Library, and when a victim views the file, the attacker will have access to the victim's cookie and his account.

PoC Details

1. Access the application from a web browser and log in as an admin user.
2. Open a private window and log in as a regular (Low privileges) user.
3. Go to the personal information, click on the profile image, and then click on the 'Normal Upload' button.
4. Create a .png file with the code in the PoC code section below.
5. Create a HTTP server using python (python3 -m http.server 3333)
6. Select the takeover.png and intercept the request.
7. Change the name of takeover.png to takeover.html and forward the request.
8. Go to the Media Library (Upload and Download) from the admin account and open the takeover.html ('Open image in New Tab'). This will trigger the XSS payload from takeover.html and send the admin cookie to the attacker’s server, leading to account takeover.

PoC Code

takeover.png file:

var i=new Image;

Affected Environments

Gin-Vue-Admin versions v2.5.1 through v2.5.3beta


No Fix

Language: Go

Good to know:


Cross-Site Scripting (XSS)


Unrestricted Upload of File with Dangerous Type


Upgrade Version

No fix version available

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): High
Integrity (I): High
Availability (A): High