Atjiu Pybbs Cross-Site Scripting Vulnerability in Admin Panel Settings API

A stored cross-site scripting vulnerability has been identified in Atjiu Pybbs versions up to 6.0.0. The issue resides in the Admin Panel's settings API, where user input is not properly sanitized before being displayed. This flaw allows an authenticated user to inject malicious JavaScript, which is then executed when the affected page is viewed. The vulnerability is exacerbated by the application's cookie settings, which do not mark cookies as HttpOnly, potentially allowing attackers to steal cookies from both regular users and administrators, leading to account takeovers.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page. This could be used to steal cookies from users, including administrators, potentially leading to account hijacking.

Reproduction

To reproduce this vulnerability, an authenticated user can send a PUT request to the '/api/settings' endpoint with a payload that includes JavaScript code, such as an image tag (with an invalid image source) using an 'onerror' attribute. Once the payload is injected, it can be triggered by accessing the corresponding user profile page or the admin edit user page, where the injected script will execute.

Remediation

Users are advised to update to the latest version of Atjiu Pybbs, where this vulnerability has been patched.