CVE-2018-19089
Description
Stored XSS in tianti 2.3 via user role name parameter allows arbitrary JavaScript execution in admin panel.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in tianti 2.3 via user role name parameter allows arbitrary JavaScript execution in admin panel.
Vulnerability
In tianti version 2.3, the userlist module contains a stored cross-site scripting (XSS) vulnerability. The tianti-module-admin/user/ajax/save_role endpoint accepts a name parameter that is not sanitized before being stored and later rendered in tianti-module-admin\src\main\webapp\WEB-INF\views\user\user_list.jsp. This allows an attacker to inject arbitrary HTML and JavaScript code into the role name field [1].
Exploitation
An attacker with access to the admin panel (requires authentication) can send a POST request to /tianti-module-admin/user/ajax/save_role with a malicious payload in the name parameter, such as ">. The payload is stored in the database and subsequently displayed without sanitization when an administrator views the user list, triggering the XSS [1].
Impact
Successful exploitation leads to execution of arbitrary JavaScript in the context of the admin panel. This can result in disclosure of session cookies, privilege escalation, or other malicious actions on behalf of the authenticated administrator [1].
Mitigation
No official patch was released at the time of disclosure. Users should sanitize user input in the user_list.jsp view and the save_role handler. As of the reference, the issue remains unfixed; consider upgrading to a patched version if available, or implement input validation manually [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The userlist module in tianti 2.3 mishandles the name parameter in the user/ajax/save_role endpoint, leading to stored XSS."
Attack vector
An attacker can send a POST request to the `/tianti-module-admin/user/ajax/save_role` endpoint with a malicious payload in the `name` parameter. This payload, such as `"><img src=i onerror=alert(document.cookie)>`, is then stored and rendered without proper sanitization. The vulnerability is located in the `tianti-module-admin\src\main\webapp\WEB-INF\views\user\user_list.jsp` file, which processes the user input without defensive measures [ref_id=1].
Affected code
The vulnerability resides in the userlist module, specifically within the `tianti-module-admin\src\main\webapp\WEB-INF\views\user\user_list.jsp` file. This file receives input from the controller and displays it without adequate sanitization. The `usercontroller` is mentioned as the component that retrieves request parameters from users and places them into a User object, which is then returned to the view via an AJAX method without any defensive measures [ref_id=1].
What the fix does
The advisory suggests implementing global interceptors to check user requests for potential threats and to intercept responses to replace special characters with their entity types. This would prevent the injection and rendering of malicious scripts. The patch does not show specific code changes, but the recommended approach is to sanitize user input before it is stored and displayed [ref_id=1].
Preconditions
- inputThe attacker must be able to send a POST request to the `/tianti-module-admin/user/ajax/save_role` endpoint.
- inputThe attacker must provide a malicious payload in the `name` parameter.
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/xujeff/tianti/issues/27mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.