A critical Stored Cross-Site Scripting (Stored XSS) vulnerability exists in the backend user management functionality. The application fails to properly sanitize user-controlled input before rendering it in the administrative interface, allowing attackers to inject persistent JavaScript code. This results in automatic execution whenever backend users access the affected page, enabling session hijacking, privilege escalation, and full administrative account compromise.
The vulnerability resides in the backend user creation feature accessible via:
/backend/users
User-supplied input in the name and surname fields is stored without proper validation or sanitization. When this data is later rendered in the backend users listing page, it is injected directly into the HTML without output encoding.
Because of this, attackers can embed malicious JavaScript payloads that execute in the context of authenticated backend users.
This indicates missing contextual output escaping (e.g., HTML encoding) and insufficient input sanitization, leading to persistent script execution.
The vulnerability is particularly severe because:
Steps to reproduce:
http://localhost:8080/backend/users
Click Add New User.
Create a new user.
In the name and surname fields, insert the following payload:
adnan"><img src=1 onerror=alert(document.cookie)><<e>img src=1 onerror=alert(document.cookie)>
Save the user.
After saving, a popup displaying cookies will appear, demonstrating JavaScript execution.
Revisit:
http://localhost:8080/backend/users
0.31.0.0Exploitability
AV:NAC:LPR:LUI:NScope
S:CImpact
C:HI:HA:H9.9/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H