CicadasCMS Cross-Site Scripting Vulnerability in Search Function

A cross-site scripting (XSS) vulnerability has been identified in CicadasCMS versions prior to commit 2431154dac8d0735e04f1fd2a3c3556668fc8dab. The issue arises in the search function of the file 'org/springframework/cache/support/AbstractCacheManager.java', where improper handling of the 's' parameter allows for the injection of malicious scripts. This vulnerability can be exploited remotely, and the exploit has been made public.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, log into an administrator account and navigate to the user management module. The 'search' interface can be accessed by sending a POST request to '/search' with the 's' parameter containing a script injection payload. This payload can be crafted to include XSS scripts that, when executed, bypass the Same-Origin Policy and interact with the '/system/user/update' interface, which lacks CSRF protection. This chain of exploitation can be used to create a new administrator account without the original administrator's knowledge.

Remediation

To address this vulnerability, input validation should be improved to ensure that the 's' parameter only accepts numerical values. Additionally, XSS filtering should be applied to sanitize user inputs before they are processed or displayed. Implementing a Content Security Policy (CSP) can also help mitigate the risk by restricting the execution of unauthorized scripts.