Jfinal cms advice stored XSS

## Jfinal cms advice stored XSS ### Vulnerability Introduction Jfinal cms, using the simple and powerful JFinal as the web framework, the template engine is beetl, the database uses mysql, front-end bootstrap, flat ui and other frameworks. Support multi-site, oauth2 authentication, account registration, password encryption, comments and replies, message prompts, website traffic statistics, article comments and pageview statistics, response management, rights management, etc. ### Vulnerability impact - <= v4.7.1 ### Vulnerability analysis The vulnerability trigger point is in `com/jflyfox/modules/front/controller/AdviceController.java` ```java public void save() { JSONObject json = new JSONObject(); json.put("status", 2);// 失败 // 获取验证码 String imageCode = getSessionAttr(ImageCode.class.getName()); String checkCode = this.getPara("imageCode"); if (StrUtils.isEmpty(imageCode) || !imageCode.equalsIgnoreCase(checkCode)) { json.put("msg", "验证码错误！"); renderJson(json.toJSONString()); return; } SysUser user = (SysUser) getSessionUser(); if (user==null) { json.put("msg", "请先登录再填写意见反馈！"); renderJson(json.toJSONString()); return; } TbAdviceFeedback model = getModel(TbAdviceFeedback.class); int userid = user.getInt("userid"); String now = getNow(); model.setUsername(user.getUserName()); model.setUserid(userid); model.set("create_id", userid); model.set("create_time", now); model.save(); UserCache.init(); // 设置缓存 SysUser newUser = SysUser.dao.findById(userid); setSessionUser(newUser); // 设置session json.put("status", 1);// 成功 renderJson(json.toJSONString()); } ``` When the user feedbacks, the incoming data is not filtered, stored directly in the database, and finally rendered to the front end, resulting in a storage XSS. ### Vulnerability recurrence 1. Register a regular user. 2. User feedback 3. Fill in the xxs payload in the feedback.  4. Click Submit 5. The background administrator will trigger the payload when viewing the feedback.