CVE-2023-50630

Vulnerability

A stored Cross-Site Scripting (XSS) vulnerability exists in xiweicheng TMS version v2.28.0. The flaw resides in the markdown rendering engine used across multiple pages, particularly in the chat page (/chat/@super). An attacker can inject arbitrary JavaScript by crafting a markdown link with a javascript: URI in the `click here` syntax. No special configuration is required beyond the application accepting and rendering user-supplied markdown content [1].

Exploitation

An attacker with network access to the TMS instance can send a crafted message containing the malicious markdown payload. The payload uses javascript:{onerror=eval}throw'=eval\x28String.fromCharCode\x28...\x29\x29') to execute arbitrary JavaScript code. For example, `click here triggers an alert(1)` in the victim's browser. The exploit vector is stored and triggers when any user views the chat page or similar markdown-rendered content [1].

Impact

Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's browser, enabling session hijacking, credential theft, or further attacks such as Cross-Site Request Forgery (CSRF). The reference notes a potential chained attack where XSS could be used to change an administrator's password via the /admin/user/update2 endpoint without proper CSRF tokens [1]. The attacker gains the same privileges as the victim user, potentially escalating to full administrative control.

Mitigation

As of the available references, no official fix has been released by the vendor. The issue remains unpatched in v2.28.0. Suggested workarounds include replacing the markdown component with a safer alternative or implementing server-side filtering of XSS payloads before storing user input in the database [1]. Users should monitor the vendor's repository for updates and apply any security patches promptly.