Yangshare Warehouse Manager Cross-Site Scripting Vulnerability in Customer Management Function
Vulnerability
A stored cross-site scripting vulnerability has been identified in Yangshare Warehouse Manager version 1.1.0. The issue arises in the Customer Management feature, specifically within the 'addCustomer' function of 'CustomerManageHandler.java'. The vulnerability allows for the injection of malicious scripts into the 'name' parameter, which are then executed in the context of the user viewing the data. This exploitation can be performed remotely and has been publicly disclosed.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of users who access the affected data. This could lead to cookie theft and identity impersonation of the victim.
Reproduction
To reproduce this vulnerability, add a new customer through the 'addCustomer' function in the Customer Management module. Input a script payload into the 'name' field, along with other required information. Once submitted, the script will be executed when the customer data is viewed, demonstrating the cross-site scripting vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.