| Title | Hubei Yuanjian Software Technology Co., LTD OneBase v1.3.6 Cross Site Scripting |
|---|
| Description | Summary
A Reflected Cross-Site Scripting (XSS) vulnerability exists in OneBase v1.5.7, stemming from insufficient input sanitization in the ThinkPHP framework's exception handling template (think_exception.tpl). The vulnerability allows attackers to inject arbitrary JavaScript via the Call Stack trace output, which is rendered unsafely in the admin panel.
Details
The vulnerability arises due to:
Unfiltered Output in think_exception.tpl:
The template file (/tpl/think_exception.tpl) fails to properly sanitize user-controlled input passed to the Call Stack debug output.
The parse_args() function in ThinkPHP’s exception handler does not escape HTML entities in all contexts, allowing JavaScript injection via crafted arguments.
Trigger Condition:
When an exception occurs (e.g., invalid input in admin.php/config/configlist/order_field/), the framework renders a debug page with the Call Stack, including unsanitized user input.
POC
http://target-ip/admin.php/config/configlist/order_field/?1%3Cscript%3Ealert(123)%3C%2Fscript%3E
http://target-ip/admin.php/menu/setstatus/ids/210/?1%3Cscript%3Ealert(1)%3C%2Fscript%3E
Impact
Admin Session Hijacking: Attackers can steal cookies or tokens via document.cookie.
Privilege Escalation: Malicious scripts could modify admin settings or create backdoor accounts.
Phishing: Inject fake login forms to harvest credentials. |
|---|
| Source | ⚠️ https://github.com/Hebing123/cve/issues/87 |
|---|
| User | jiashenghe (UID 39445) |
|---|
| Submission | 07/01/2025 04:48 (12 months ago) |
|---|
| Moderation | 07/13/2025 09:03 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 316267 [Bigotry OneBase up to 1.3.6 /tpl/think_exception.tpl parse_args cross site scripting] |
|---|
| Points | 20 |
|---|