SohuTV CacheCloud Cross-Site Scripting Vulnerability in App Management Controller

A cross-site scripting (XSS) vulnerability has been identified in SohuTV CacheCloud versions up to 3.2.0. The issue arises in the 'doAppAuditList' function of the 'AppManageController.java' file, where user-controlled parameters are not properly encoded before being displayed on the web page. This flaw allows remote attackers to execute XSS attacks, potentially affecting users who interact with the compromised page.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a POST request to the '/manage/app/auditList' endpoint with crafted 'startDate' and 'endDate' parameters that include unencoded script elements. The absence of proper input sanitization will result in the execution of the injected script, demonstrating the XSS vulnerability.