Zhong Bang CRMEB Java save cross site scripting

Vulnerability

The /api/admin/store/product/save endpoint in CRMEB Java up to version 1.3.4 does not properly sanitize user input, leading to a stored cross-site scripting (XSS) vulnerability. An attacker can inject malicious scripts via parameters such as storeName, storeInfo, or other fields that are stored and later rendered in the admin panel. The issue is disclosed in the GitHub issue tracker [1].

Exploitation

An attacker needs network access to the admin API endpoint and a valid admin session token for authentication. By sending a POST request to /api/admin/store/product/save with a payload containing HTML and JavaScript (e.g., ``), the script is stored in the database. When an administrator views the affected product page, the script executes.

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the admin's browser. This can result in session hijacking, defacement, or theft of sensitive data displayed in the admin interface. The attacker gains the ability to perform actions on behalf of the authenticated admin.

Mitigation

The vendor has not released a patched version as of the publication date. Users are advised to sanitize input parameters on the server side or apply input validation filters. Upgrading to a newer version if available is recommended. The vulnerability is publicly known, and exploit details are available [1].