xnx3 Wangmarket Cross-Site Scripting Vulnerability in System Variables Page
Vulnerability
A stored cross-site scripting vulnerability has been identified in xnx3 Wangmarket versions up to 4.9. The issue resides in the file '/admin/system/variableSave.do', within the System Variables Page component. This vulnerability allows attackers to inject malicious JavaScript into system variables, which is then persistently stored in the database. When the system variable list page is accessed by administrators or other users, the injected code executes automatically in the browser, potentially stealing cookies, hijacking sessions, or performing other malicious actions.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the system variables list.
Reproduction
To reproduce this vulnerability, log into an admin account and navigate to 'System Management' -> 'System Variables'. Click 'Add Variable', insert a script tag (e.g., '<ScRiPt>alert(1)</ScRiPt>') in the description field, and save the variable. The script will execute upon saving, demonstrating the cross-site scripting vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.