| Title | ZrLog 3.1.6 Improper Neutralization of Alternate XSS Syntax |
|---|
| Description | BUG Author:
Vulnerability Details:
Input Flow:
User input is injected through the footerLink field in the theme configuration form (Path: Settings -> Theme Configuration -> ZrLog Default Theme Settings -> Footer Links).
The frontend submits data to /api/admin/template/config via a POST request, while the previewConfigValue endpoint is used for real-time previews.
Root Cause:
Inadequate Input Handling:
The frontend does not filter or escape special characters (e.g., <, >, &) from user input.
The backend TemplateController.config() method directly parses the request body into a Map without implementing security validation (no sanitization, no Content Security Policy enforcement).
Impact: An attacker can inject malicious scripts (e.g., XSS payloads) into the footerLink field. When other users (including administrators) access pages rendering the theme configuration (e.g., theme previews, public pages using the footer), the script executes, potentially leading to session hijacking, fake admin operations, or information leakage.
Code Analysis (Key Files)
Frontend Input Component:
File: TemplateConfig/onFinish
Role: Implements the theme configuration form (includes file uploads, color pickers, and the footerLink input field).
Issue: Lack of input sanitization for special characters (e.g., <, >) in the footerLink field.
Backend Handling:
Controller: TemplateController.config()
Issue: Directly parses the request body into a Map without validating or escaping user input. No Content Security Policy (CSP) or input validation mechanisms are enforced.
Impact
Severity: HIGH (Stored XSS can hijack admin sessions, inject fake UI elements, or steal sensitive data).
Attack Vector: Authenticated users with access to theme configuration (common in admin panels) can exploit this vulnerability.
Scope: Affects all pages rendering the theme’s footer (including public-facing pages if the theme is active).
Recommendation
Frontend: Implement input sanitization for the footerLink field (and all user-facing input fields) to escape special characters (e.g., replace < with <, > with >).
Backend: Validate and sanitize input in TemplateController.config() before storing it. Enforce a strict Content Security Policy (CSP) to restrict unauthorized script execution.
Testing: Conduct regular security testing (e.g., DAST/SAST) to identify and remediate similar input-handling vulnerabilities. |
|---|
| Source | ⚠️ https://github.com/SaaS5SaaS/CVE/issues/3 |
|---|
| User | SaaS5SaaS (UID 89104) |
|---|
| Submission | 08/16/2025 15:33 (10 months ago) |
|---|
| Moderation | 08/28/2025 16:50 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 321765 [ZrLog up to 3.1.5 Theme Configuration Form config footerLink cross site scripting] |
|---|
| Points | 20 |
|---|