SohuTV CacheCloud Cross-Site Scripting Vulnerability in TaskController

A cross-site scripting (XSS) vulnerability has been identified in SohuTV CacheCloud versions prior to 3.2.0. The issue arises in the 'taskQueueList' function of the 'TaskController.java' file, where user-controllable parameters are not properly encoded before being displayed on the web page. This flaw allows remote attackers to execute XSS attacks against users.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a POST request to the '/manage/task/list' endpoint with a payload that includes unencoded JavaScript in the 'className' parameter. The 'searchTaskId' parameter can be set to 0, and the 'pageNo' and 'pageSize' parameters can be set to 1 and 30, respectively. The response will include the injected script executed as part of the page.