heyewei JFinalCMS Cross-Site Scripting Vulnerability in API Endpoint

A cross-site scripting (XSS) vulnerability has been identified in heyewei JFinalCMS version 5.0.0. This issue affects the API endpoint '/admin/admin/save', where user input is not properly sanitized before being saved to the database. As a result, malicious scripts can be executed in the context of the victim's browser when the stored data is displayed on a web page. This vulnerability allows attackers to inject persistent JavaScript payloads that could, for example, steal session cookies or perform unauthorized actions on behalf of the user.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, log into the admin panel of heyewei JFinalCMS 5.0.0. Navigate to the user management section and create a new user. In the username field, enter a script tag payload, such as a JavaScript alert script. Once the username is saved, the injected script will execute when the username is displayed on the page.