Summary:
The current SSCMS version v7.4.0 contains a real and exploitable DOM-based Cross-Site Scripting vulnerability in its error pages. Frontend code reads attacker-controlled input from the message query parameter and renders it directly into the page through Vue’s v-html without sanitization or output encoding, allowing arbitrary JavaScript execution in the victim’s browser.
Details:
The issue involves the following files:
src/SSCMS.Web/wwwroot/sitefiles/assets/js/utils.jssrc/SSCMS.Web/wwwroot/sitefiles/assets/js/home/error.jssrc/SSCMS.Web/wwwroot/sitefiles/assets/js/admin/error.jssrc/SSCMS.Web/Pages/home/error.cshtmlsrc/SSCMS.Web/Pages/ss-admin/error.cshtml
In utils.js, the getQueryString() function directly returns decodeURIComponent of the query parameter value without any HTML encoding or sanitization. The home/error.js and admin/error.js scripts then assign the message parameter directly into the Vue data model. Finally, home/error.cshtml and ss-admin/error.cshtml render that value using v-html="message". Because v-html interprets the value as HTML, an attacker can supply a malicious payload in the message parameter and achieve script execution in the client browser.
Impact:
An attacker can trick a victim into opening a crafted URL and execute arbitrary JavaScript in the victim’s browser context. This may lead to:
- theft of accessible page data
- session hijacking
- execution of actions on behalf of the victim
- further compromise of administrative users
The /home/error/ page can be used as an unauthenticated attack surface. The /ss-admin/error/ page contains the same vulnerable sink and becomes higher impact if an administrator visits a malicious link.
Reproduction steps:
- Visit the following URL:
/home/error/?message=%3Cimg%20src=x%20onerror=alert(1)%3E
- The page reads the
message value from the URL query string.
- The frontend script assigns this value into the Vue data object.
- The error page renders the value using
v-html.
- The injected JavaScript executes in the browser and triggers
alert(1), confirming the vulnerability.
Summary:
The current SSCMS version
v7.4.0contains a real and exploitable DOM-based Cross-Site Scripting vulnerability in its error pages. Frontend code reads attacker-controlled input from themessagequery parameter and renders it directly into the page through Vue’sv-htmlwithout sanitization or output encoding, allowing arbitrary JavaScript execution in the victim’s browser.Details:
The issue involves the following files:
src/SSCMS.Web/wwwroot/sitefiles/assets/js/utils.jssrc/SSCMS.Web/wwwroot/sitefiles/assets/js/home/error.jssrc/SSCMS.Web/wwwroot/sitefiles/assets/js/admin/error.jssrc/SSCMS.Web/Pages/home/error.cshtmlsrc/SSCMS.Web/Pages/ss-admin/error.cshtmlIn
utils.js, thegetQueryString()function directly returnsdecodeURIComponentof the query parameter value without any HTML encoding or sanitization. Thehome/error.jsandadmin/error.jsscripts then assign themessageparameter directly into the Vue data model. Finally,home/error.cshtmlandss-admin/error.cshtmlrender that value usingv-html="message". Becausev-htmlinterprets the value as HTML, an attacker can supply a malicious payload in themessageparameter and achieve script execution in the client browser.Impact:
An attacker can trick a victim into opening a crafted URL and execute arbitrary JavaScript in the victim’s browser context. This may lead to:
The
/home/error/page can be used as an unauthenticated attack surface. The/ss-admin/error/page contains the same vulnerable sink and becomes higher impact if an administrator visits a malicious link.Reproduction steps:
/home/error/?message=%3Cimg%20src=x%20onerror=alert(1)%3Emessagevalue from the URL query string.v-html.alert(1), confirming the vulnerability.