The file upload feature of UJCMS_v9.7.5 has a stored XSS vulnerability. #13
Description
【Vulnerability Description】
There is a vulnerability in the file upload function of the ujcms_v9.7.5 backend. The content of uploaded HTML and PDF files is not filtered or checked. When users view maliciously crafted HTML or PDF files, the embedded malicious JavaScript code will be triggered, which may lead to the theft of sensitive tokens.
【Vulnerability Type】
CWE-79: Cross-site Scripting
【Product Vendor】
https://gitee.com/ujcms/ujcms
https://github.com/ujcms/ujcms
https://www.ujcms.com/
【Affected Product Code Repository】
ujcms_v9.7.5
【Vulnerability Proof】
Upload HTML and PDF files with XSS payload
Clicking on "View" will trigger the XSS payload
【Code Location】
/main/java/com/ujcms/cms/ext/web/backendapi/WebFileUploadController.java#upload
【Code Analysis】
When uploading, the checkName method is called to check the file name (does not include ../) and suffix (file suffix blacklist). If there is no problem, the store method is called to save the file. The content of the file is not checked.
Check whether the file name contains ".", which prevents directory traversal using ../
File suffix blacklist
【Repair Suggestions】
Implement whitelist restrictions on the types of files that can be uploaded
Implement validation and filtering of the content of uploaded files