Headline
CVE-2022-35151: kkFileView XSS Vulnerability · Issue #366 · kekingcn/kkFileView
kkFileView v4.1.0 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the urls and currentUrl parameters at /controller/OnlinePreviewController.java.
kkFileview v4.1.0 has an XSS vulnerability, which may lead to the leakage of website cookies.
kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java文件71行、86行,"urls"、"currentUrl"参数用户可控,且没有过滤特殊字符就输出到了页面
The vulnerability code is located at line 75,86 in kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java , The ‘urls’ and ‘currentUrl’ parameter is user-controllable, and it is output to the page without filtering special characters
@RequestMapping(value = "/picturesPreview")
public String picturesPreview(String urls, Model model, HttpServletRequest req) throws UnsupportedEncodingException {
String fileUrls;
try {
fileUrls = new String(Base64.decodeBase64(urls));
} catch (Exception ex) {
String errorMsg = String.format(BASE64_DECODE_ERROR_MSG, "urls");
return otherFilePreview.notSupportedFile(model, errorMsg);
}
logger.info("预览文件url:{},urls:{}", fileUrls, urls);
// 抽取文件并返回文件列表
String[] images = fileUrls.split("\\|");
List<String> imgUrls = Arrays.asList(images);
model.addAttribute("imgUrls", imgUrls);
String currentUrl = req.getParameter("currentUrl");
if (StringUtils.hasText(currentUrl)) {
String decodedCurrentUrl = new String(Base64.decodeBase64(currentUrl));
model.addAttribute("currentUrl", decodedCurrentUrl);
} else {
model.addAttribute("currentUrl", imgUrls.get(0));
}
return PICTURE_FILE_PREVIEW_PAGE;
}