[BUG] Security Vulnerability - Action Required: XSS vulnerability in the newest version of the datax-web #652

Crispy-fried-chicken · 2024-02-01T06:45:51Z

Describe the bug
I think your project allows Stored XSS (in Add User) to bypass the 20-character limit via datax-admin/src/main/java/com/wugui/datax/admin/controller/UserController.java#L27. It shares similarities to a recent CVE disclosure CVE-2020-29204 in thexuxueli/xxl-job.

The source vulnerability information is as follows:

Vulnerability Detail:
CVE Identifier: CVE-2020-29204
Description: XXL-JOB 2.2.0 allows Stored XSS (in Add User) to bypass the 20-character limit via xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java.
Reference:https://nvd.nist.gov/vuln/detail/CVE-2020-29204
Patch: xuxueli/xxl-job@2276285

To Reproduce
The reproduce step may be similiar to the xxl-job(xuxueli/xxl-job#2083)

Expected behavior
Add User

Which version of DataX Web:
the newest version

**Requirement or improvement
The corresponding fixes are similar to CVE-2020-29204 to some extent. You can follow the patch of CVE-2020-29204 to fix it.

The text was updated successfully, but these errors were encountered:

Crispy-fried-chicken added the bug Something isn't working label Feb 1, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] Security Vulnerability - Action Required: XSS vulnerability in the newest version of the datax-web #652

[BUG] Security Vulnerability - Action Required: XSS vulnerability in the newest version of the datax-web #652

Crispy-fried-chicken commented Feb 1, 2024

[BUG] Security Vulnerability - Action Required: XSS vulnerability in the newest version of the datax-web #652

[BUG] Security Vulnerability - Action Required: XSS vulnerability in the newest version of the datax-web #652

Comments

Crispy-fried-chicken commented Feb 1, 2024