Issue ID: CVE-2022-33113 #44
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Description: Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the keyword text field under the publish blog module. Fixed in any other branch? : Fix doesn't exist in any of the existing branches. Rootcause: This vulnerability affects an unknown part of the Jfinal CMS component Publish Blog Module. The manipulation of the argument "keyword" with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-79. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. As an impact it is known to affect integrity. An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors. Steps to reproduce: - There is a stored XSS vulnerability in JFinal_cms 's publish blog module. - An attacker can insert malicious XSS code into the "Keyword" field. When the user views the content of the article in the foreground, the malicious XSS code is triggered successfully. - payload: " onmouseover="alert(document.cookie) Additional Findings: - As per the CVE-2022-33113, XSS vulnerability is seen in the "Keyword" field. But, the same vulnerability is applicable to "Topic" field as well. Fix: - The fix here is to ensure that the input strings from the portal is sanitized properly to get rid of the html strings/tags. - Here, we are making use of Apache common-lang's StringEscapeUtils APIs - escapeHtml() and unescapeHtml(). - escapeHtml(): Escapes the characters in a String using HTML entities. For example: "bread" & "butter" becomes: "bread" & "butter". - unescapeHtml(): Unescapes a string containing entity escapes to a string containing the actual Unicode characters corresponding to the escapes. For example, the string "<Français>" will become "<Français>". - The fix is added in "AlertController" and "PersonController" classes in "com.jflyfox.modules.front.controller" packages. Also, "HtmlUtils" class will now expose two utility methods - escapeHtml() and unescapeHtml(), which can be used if required else where. - The changes are added here to make use of the escapeHtml() and unescapeHtml() in "HtmlUtils" class for strings specified in "Topic" and "Keyword" fields. Unit Testing: - Verified that the XSS vulnerability is no more applicable for "Topic" and "Keyword" fields. - Verified the fix in Chrome, Mozilla and Firefox browsers.
|
您好,您的来信我已收到!谢谢!
Best Wishes!
——孔祥亮
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description: Jfinal CMS v5.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the keyword text field under the publish blog module.
Fixed in any other branch? : Fix doesn't exist in any of the existing branches.
Rootcause:
This vulnerability affects an unknown part of the Jfinal CMS component Publish Blog Module. The manipulation of the argument "keyword" with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-79. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. As an impact it is known to affect integrity. An attacker might be able to inject arbitrary html and script code into the web site. This would alter the appearance and would make it possible to initiate further attacks against site visitors.
Steps to reproduce:
Additional Findings:
Fix:
Unit Testing: