CVE-2024-57776
find by Chaitin Security Research Lab
Vulnerability Product: JFinalOA
Vulnerability version: before 2025.01.01
Vulnerability type: XSS vulnerability
Vulnerability Details：

1. By analyzing WEB-INF/admin/oa/contract/apply/list.html:6, when the user clicks the "Add" button, it will automatically navigate to the specified page for adding a new contract. By analyzing the URL, we can know that this operation is completed in the getEditPage() method.
   
2. Go to com/pointlion/mvc/admin/oa/contract/apply/OaContractApplyController.java:107 of the getEditPage() method, directly get the value named "view" from the request parameter and set this parameter directly to the view template, and then pass the obtained data information to the template file edit.html.
   
3. Enter the edit.html file and go to WEB-INF/admin/oa/contract/apply/edit.html:9. An installAttachment function is introduced. The view parameter is not seen here. Continue to track the installAttachment function.
   
4. Finally, we found the content of the installAttachment function in WEB-INF/admin/sys/attachment/businessIncludeBtn.html:8. When analyzing WEB-INF/admin/sys/attachment/businessIncludeBtn.html:14, the template engine directly passes the view variable just passed by the user into it when it parses #(view?view:''). The whole process does not perform any filtering or escaping on the parameter view, so the view is controllable, and there is an XSS vulnerability here.
   
5. Construct POC, log in to the backend, and access the router

http://localhost:8089/JPointLion_war_exploded/admin/oa/contract/apply/getEditPage?type=1&view="-prompt(/xss-apply:view/)-"