xnx3 Wangmarket Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in xnx3 Wangmarket versions through 6.4. The issue arises in the Add Global Variable Handler component, specifically within the /siteVar/save.do file. The vulnerability is triggered by manipulating the Remark or Variable Value arguments, allowing for the injection of XSS payloads. This vulnerability requires authentication and user interaction to exploit, but can be executed remotely.

Impact

Exploitation of this vulnerability leads to stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into the application with valid credentials. Once logged in, navigate to the Add Global Variable section. Inject an XSS payload into the Remark or Variable Value fields and save the variable. The injected script will execute when the variable is accessed later.