wx-shop Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in wx-shop versions up to de1b66331368695779cfc6e4d11a64caddf8716e. The issue arises in the file '/user/editUI', where user input is not properly validated or sanitized before being processed by the '/user/saveUser' API. This lack of filtering allows malicious scripts to be injected, stored in the database, and executed when the data is retrieved and displayed in the browser.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into the application as an admin user. Navigate to the '/user/editUI' page and use the interface to add a new user. Input a username that includes a script tag, such as one containing JavaScript code, and a password. Once the form is submitted, the injected script will be executed when the user data is accessed.