CicadasCMS Cross-Site Scripting Vulnerability in Task Scheduling Management Module

A cross-site scripting (XSS) vulnerability has been identified in CicadasCMS versions prior to commit 2431154dac8d0735e04f1fd2a3c3556668fc8dab. The issue resides in the Task Scheduling Management Module, specifically within the ScheduleJobController.java file. The vulnerability arises because the '/system/schedule/save' interface does not properly sanitize the 'jobName' parameter, allowing attackers to inject malicious JavaScript. This injected script is stored in the database and executed in the browser when an administrator or a user with relevant permissions accesses the task list or scheduling monitoring page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the task list or scheduling monitoring page.

Reproduction

To reproduce this vulnerability, access the task management window and navigate to the task name field. Enter a payload containing a script, such as a JavaScript alert, and save the task. The injected script will execute when the task list is accessed, demonstrating the cross-site scripting vulnerability.

Remediation

It is recommended to implement input filtering to validate and sanitize user input, particularly in the 'jobName' parameter. Additionally, output encoding should be applied to escape special characters before rendering HTML. Consider including a Content Security Policy (CSP) in the response headers to restrict the execution of external scripts.