Bigotry OneBase Cross-Site Scripting Vulnerability in Exception Handling Template
Vulnerability
A reflected cross-site scripting vulnerability has been identified in Bigotry OneBase versions through 1.3.6. The issue arises in the 'parse_args' function within the '/tpl/think_exception.tpl' file, where user-controlled input is not properly sanitized before being outputted. This flaw allows for the injection of arbitrary JavaScript, which can be executed in the context of the admin panel. The vulnerability can be exploited remotely, particularly when an exception is triggered that includes unsanitized input in the call stack trace.
Impact
Exploitation of this vulnerability allows for cross-site scripting, where injected scripts can be executed in the context of the user.
Reproduction
To reproduce this vulnerability, navigate to the admin panel and trigger an exception by entering invalid input in the 'order_field' parameter of the 'configlist' menu. The resulting debug page will display the call stack with the injected script, which can be executed by clicking on the 'alert' link.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.