Cross-site Scripting (XSS) - Stored in zoujingli/thinkadmin

Valid

Reported on

Sep 17th 2021


Description

Stored XSS Content allows for the arbitrary execution of JavaScript

Proof of Concept

In Wechat management at feature 
- Reply rule management 
- Follow reply configuration 
- Default reply configuration 
- Follow automatic replies 

Save Reply text with payload : </titLe/</teXtarEa/</scRipt/--!>\x3csVg/<iMg SrC="x" oNeRRor="alert(1);">\x3e
XSS will trigger when reloading page or goto edit

Video PoC

Video PoC

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the zoujingli/thinkadmin team and are waiting to hear back a month ago
邹景立 validated this vulnerability a month ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
邹景立
a month ago

Maintainer


HTML needs to be parsed during mobile phone preview. Only HTML executable script filtering can be done here.

lethanhphuc
a month ago

Researcher


I noticed this problem happened when the textarea tags were escaped by my payload rather than the mobile phone preview

邹景立
a month ago

Maintainer


I already know the problem. Now I'm going to XSS filter the submitted data and delete the on* and script of all elements.

邹景立
a month ago

Maintainer


Execute the following command to resolve the problem:

composer update

php think xadmin:install wechat

邹景立 confirmed that a fix has been merged on c1d724 a month ago
邹景立 has been awarded the fix bounty