MoonlightL Hexo-Boot Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in MoonlightL Hexo-Boot version 4.3.0. This issue arises in the Dynamic List Page component, specifically within the file '/admin/home/index.html'. The vulnerability allows remote attackers to inject malicious scripts, which can be executed in the context of the user's browser.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser. This could lead to the leakage of sensitive information such as cookies and privacy data.

Reproduction

To reproduce this vulnerability, access the admin home index page. Locate the dynamic list section and inject an XSS payload, such as a base64-encoded object data URL, into the marked area. After refreshing the page, the injected payload will trigger a pop-up, demonstrating the successful execution of the XSS attack. This payload can also be injected through the dynamic section on the blog frontend, where it will similarly execute and trigger a pop-up.

Remediation

It is recommended to escape or disable potentially malicious executable functions where necessary.