jerryshensjf JPACookieShop Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in jerryshensjf JPACookieShop 蛋糕商城JPA版 versions prior to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999. The issue arises in the GoodsController.java file, where user input is not properly validated or sanitized before being stored in the database. This lack of filtering allows malicious scripts to be injected and subsequently executed when the stored data is retrieved and displayed in the browser. The vulnerability can be exploited remotely, affecting multiple endpoints related to content management.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, log into the application as an admin and navigate to the 'Add Product' page. Without any input validation, enter a product name that includes a script tag, such as a JavaScript alert. Once the product is saved, the injected script will execute when the product list is viewed.