DzzOffice Comment Editing Template Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the DzzOffice comment editing template (dzz/comment/template/edit_form.htm) for versions through 2.3.7. The issue arises from insufficient security escaping of user-controllable data in various contexts, including HTML and JavaScript strings. This flaw enables low-privilege authenticated attackers to craft comment content or request parameters that execute arbitrary JavaScript code when the victim opens the editing pop-up, potentially leading to session hijacking, data theft, and privilege escalation.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript code in the context of the user editing a comment, which could be used to hijack the user's session, steal data, or escalate privileges.

Reproduction

To reproduce this vulnerability, a low-privilege authenticated user can create a comment containing crafted JavaScript that exploits the lack of proper escaping. Once the comment is saved, the user can open the comment editing pop-up, which will trigger the execution of the embedded JavaScript. This vulnerability can also be shared with other users, who will experience the same issue when they access the comment.