A vulnerability was found in xnx3 wangmarket up to 6.4. This affects an unknown function of the file /siteVar/save.do of the component Add Global Variable Handler. The manipulation of the argument Remark/Variable Value results in cross site scripting. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Xnx3 Wangmarket versions up to 6.4 are vulnerable to a critical cross-site scripting (XSS) flaw. This vulnerability, located in the /siteVar/save.do component, allows attackers to inject malicious scripts via the Remark/Variable Value parameter, potentially leading to account compromise and data theft through remote exploitation.
Step 1: Payload Delivery: An attacker crafts a malicious payload containing JavaScript code (e.g., <script>alert('XSS')</script>) and submits it through a specially crafted HTTP request to the /siteVar/save.do endpoint, targeting the Remark/Variable Value parameter.
Step 2: Data Storage: The vulnerable application stores the attacker's malicious payload within the database, associated with the global variable.
Step 3: Payload Retrieval: When a legitimate user accesses a page that displays the global variable (e.g., a page that renders the Remark/Variable Value), the application retrieves the stored payload from the database.
Step 4: Malicious Code Execution: The application renders the retrieved data without proper sanitization. The attacker's JavaScript code is executed within the user's browser, in the context of the vulnerable website. This allows the attacker to steal cookies, redirect users, or perform other malicious actions.
The vulnerability stems from insufficient input validation and output encoding within the Add Global Variable Handler functionality of xnx3 wangmarket. Specifically, the application fails to properly sanitize user-supplied input provided through the Remark/Variable Value parameter before rendering it on a webpage. This allows attackers to inject arbitrary HTML and JavaScript code. The root cause is a lack of proper input validation and output encoding (e.g., HTML escaping) when handling the Remark/Variable Value parameter. The application directly incorporates user-controlled data into the HTML response without sanitization, leading to the execution of malicious scripts within the context of the vulnerable website. This is a classic example of a stored XSS vulnerability, as the injected payload is stored on the server and served to other users.