xnx3 Wangmarket Cross-Site Scripting Vulnerability in Backend Variable Search Component
Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in xnx3 Wangmarket versions through 4.9. The issue resides in the Backend Variable Search component, specifically within the variableList function of the file /admin/system/variableList.do. The vulnerability arises from improper handling of the Description parameter, allowing remote attackers to inject malicious scripts that are executed in the context of the user's browser.
Impact
Exploitation of this vulnerability allows for reflective cross-site scripting, where injected scripts are executed in the context of the victim's browser.
Reproduction
To reproduce this vulnerability, log into an admin account and navigate to the Backend Variable Search interface. Insert a script payload into the 'Description' field of the system variables and click 'Search'. The injected script will execute, demonstrating the cross-site scripting vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.