zerochplus thread.res.pl PrintResList cross site scripting
Description
Cross-site scripting vulnerability in zerochplus PrintResList function allows remote attackers to inject malicious scripts through unsanitized log data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in zerochplus PrintResList function allows remote attackers to inject malicious scripts through unsanitized log data.
Vulnerability
The PrintResList function in test/mordor/thread.res.pl does not properly escape log entries before output. The patch (commit 9ddf9ecca8565341d8d26a3b2f64540bde4fa273) [1] shows that log data is split and printed without HTML escaping, enabling stored cross-site scripting. All versions prior to this commit are affected.
Exploitation
An attacker with the ability to inject malicious content into the log storage (e.g., through user posts or other input) can trigger XSS when the logs are rendered by PrintResList. The attack is remote and does not require authentication beyond normal user actions that populate the logs.
Impact
Successful exploitation allows arbitrary JavaScript execution in the victim's browser, potentially leading to session hijacking, data theft, or defacement. The XSS is stored, affecting all users who view the compromised log entries.
Mitigation
The fix is in commit 9ddf9ecca8565341d8d26a3b2f64540bde4fa273 [1], which sanitizes output by removing control characters and escaping HTML entities. Apply this patch immediately. No official release is tagged; if patching is infeasible, restrict user-supplied data from reaching log output.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- zerochplus/zerochplusdescription
Patches
11 file changed · +9 −0
test/mordor/thread.res.pl+9 −0 modified@@ -257,6 +257,15 @@ sub PrintResList $log = $Logger->Get($logsize - 1 + $i - $lastnum); @logs = split(/<>/,$log,-1) if (defined $log); + foreach (0 .. $#logs) { + $logs[$_] =~ s/[\x0d\x0a\0]//g; + $logs[$_] =~ s/&/&/g; + $logs[$_] =~ s/"/"/g; + $logs[$_] =~ s/'/'/g; + $logs[$_] =~ s/</</g; + $logs[$_] =~ s/>/>/g; + } + $Page->Print("<tr><td class=\"Response\" valign=top>"); # ���X�폜���ɂ��\���}��
Vulnerability mechanics
Root cause
"Missing HTML output encoding of log data in PrintResList allows stored cross-site scripting."
Attack vector
An attacker can inject malicious HTML or JavaScript into log entries that are later processed by the `PrintResList` function. Because the log data was not sanitized before being output into the HTML response, any script payload embedded in a log field would execute in the browser of any user viewing the thread. The attack is remote — the attacker simply needs to post a comment or otherwise create a log entry containing XSS payloads such as `<script>alert(1)</script>`.
Affected code
The vulnerable function is `PrintResList` in the file `test/mordor/thread.res.pl`. The patch shows that log data stored in the `@logs` array (split from the `$log` variable using `split(/
What the fix does
The patch adds a loop over every element of the `@logs` array that strips carriage returns, newlines, and null bytes, then HTML-encodes the five dangerous characters (`&`, `"`, `'`, `
Preconditions
- inputThe attacker must be able to create or influence a log entry that is stored and later displayed by the PrintResList function.
- networkThe victim must visit the page that renders the thread (i.e., the output of PrintResList) in a browser.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/zerochplus/zerochplus/commit/9ddf9ecca8565341d8d26a3b2f64540bde4fa273mitrepatch
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.