SohuTV CacheCloud Cross-Site Scripting Vulnerability in User Management Controller
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in SohuTV CacheCloud versions through 3.2.0. The issue arises in the UserManageController, specifically within the doUserList function. The vulnerability occurs because user-controllable parameters are not properly encoded before being displayed on the web page, allowing attackers to execute XSS attacks. This vulnerability can be exploited remotely and requires user interaction.
Impact
Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.
Reproduction
To reproduce this vulnerability, send a POST request to the '/manage/user/list' endpoint with a crafted payload in the 'searchChName' parameter. The payload should include unencoded script elements that exploit the XSS vulnerability. Ensure that the 'tabId' parameter is set to '1' to trigger the vulnerable code path.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.