### Vulnerability Overview - **Vulnerability Type**: Reflected XSS (Cross-Site Scripting) - **Vulnerability ID**: #3892 - **Status**: Open - **Reporter**: hss94531 - **Editor**: hss94531 - **Report Time**: Last week ### Impact Scope - **Affected Component**: SSCMS v7.4.0 - **Affected Permissions**: SQLite + administrator (security_key) permissions - **Vulnerability Details**: - The SSCMS component receives encrypted parameters in an unauthenticated state, decrypts them, parses the STL template content, and directly returns HTML. - The `@yield` content in the template is not filtered for XSS or HTML encoding and is output directly to the HTML field. ### Remediation - **Current Status**: No fix available (No projects) - **Recommended Measures**: - Apply XSS or HTML encoding filtering to the `@yield` content in templates. - Ensure all user inputs are appropriately encoded before being output to HTML. ### POC Code ```csharp var value = ListUtils.GetValueByLowerCase(contextInfo.ItemContainer.SqlItem.Value, ty); if (value != null) { parsedContent = string.Format(format, value); } if (string.IsNullOrEmpty(queryString)) { if (string.IsNullOrEmpty(connectionString)) { connectionString = ConfigurationManager.ConnectionStrings["Database.ConnectionString"]; } // parsedContent = GlobalSettings.DatabaseRepository.GetQueryString(connectionString, queryString); parsedContent = parseManager.DatabaseManager.GetQueryString(connectionString, queryString); } ``` ### Exploitation Example ```plaintext Status: 200 Response: {"value":true,"html":"alert(\"XSS\")"} Process finished with exit code 0 ``` ### Additional Information - **Assignees**: None - **Labels**: None - **Type**: None - **Projects**: None - **Milestone**: None - **Relationships**: None - **Development**: No branches or pull requests - **Participants**: None