Xxl-api Stored Cross-Site Scripting Vulnerability in Business Line Management Module
Vulnerability
A stored cross-site scripting vulnerability has been identified in the Business Line Management module of Xxl-api versions through 1.3.0. This vulnerability allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the Name parameter. Similar cross-site scripting vulnerabilities exist in other modules, including project management, data type management, and user management.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.
Reproduction
To reproduce this vulnerability, upload the latest version of the Xxl-api code and run it locally. After logging into the application, navigate to the Business Line Management module and create a new business line. Insert a cross-site scripting payload into the Business Line Name field and save the data. The injected script will be executed when the business line is accessed.
Remediation
Users are advised to update to the latest version of Xxl-api, as the vulnerability has been addressed in the most recent release.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.