An issue was discovered in Hsycms V1.1 . There is an XSS vulnerability via /book page
1. The attacker opens http://127.0.0.1/book/, and enters the following at the name.
"><img src=1 onerror=alert(location.href)>
2.The vulnerability is triggered when administrators view messages.
![](https://img2018.cnblogs.com/blog/1579913/201902/1579913-20190217002214533-1816863313.png)
![](https://img2018.cnblogs.com/blog/1579913/201902/1579913-20190217002021162-740604370.png)