ZrLog Cross-Site Scripting Vulnerability in Theme Configuration Component

A stored cross-site scripting vulnerability has been identified in ZrLog versions through 3.1.5. The issue arises in the theme configuration module, specifically within the footerLink input field. This vulnerability allows for the injection of malicious scripts, which are executed when users, including administrators, access pages that render the theme's footer. The vulnerability is exploited by sending a POST request to the /api/admin/template/config endpoint with the injected script in the footerLink field. The lack of input sanitization in the frontend, combined with the backend's failure to validate or escape user input, creates an opportunity for exploitation. This vulnerability could lead to session hijacking, unauthorized actions being performed as an administrator, or the leakage of sensitive information.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the page. This could hijack admin sessions, inject fake UI elements, or steal sensitive data.

Reproduction

To reproduce this vulnerability, an authenticated user with access to the theme configuration can inject a script into the footerLink field. This is done through the theme configuration form, which is accessed via the admin panel. Once the injected script is submitted, it will be executed when the footer is rendered on any page, including public-facing ones.