xnx3 Wangmarket Unrestricted File Upload Vulnerability in XML File Handler

A vulnerability allowing unrestricted file uploads has been identified in xnx3 Wangmarket versions through 6.4. The issue arises in the 'uploadImage' function of the '/sits/uploadImage.do' file, where the 'image' argument can be manipulated to upload malicious XML files. This vulnerability can be exploited remotely, leading to stored cross-site scripting (XSS) attacks.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which can be used to execute malicious scripts on the server, causing stored cross-site scripting (XSS) vulnerabilities.

Reproduction

To reproduce this vulnerability, upload an XML file through the '/sits/uploadImage.do' endpoint. The uploaded file can contain a JavaScript payload that will be executed when the file is accessed, demonstrating the stored XSS vulnerability.