Summary
Some of the data stored in automation_tree_rules_form_save() function in automation_tree_rules.php is not thoroughly checked and is used to concatenate the HTML statement in form_confirm() function from lib/html.php , finally resulting in XSS.
Details
In the SQL table automation_tree_rules stored in database, the name field is controllable. The writing of dirty data can be done from automation_tree_rules_form_save() function in automation_tree_rules.php.
Both writing and reading require administrator privileges

The attack starts with the automation_tree_rules_remove() function in automation_tree_rules.php. Reading table automation_tree_rules and calling form_confirm() function.

Finally arriving at lib/html.php. Variable $text is not checked and concatenated directly, resulting in XSS.


PoC
POST access automation_tree_rules.php and submit the following data:
- 'save_component_automation_graph_rule' => 1,
- 'action'=>'save',
- '__csrf_magic'=> '',
- 'id'=>'4',
- 'name'=>'<script>alert(1);</script>',
- 'snmp_query_id'=>0,
check field in tableautomation_tree_rules table.

GET access : "http://ip:port/automation_graph_rules.php?action=remove&id=4".

Researcher: ISHGARD-2, USTC
Summary
Some of the data stored in
automation_tree_rules_form_save()function inautomation_tree_rules.phpis not thoroughly checked and is used to concatenate the HTML statement inform_confirm()function fromlib/html.php, finally resulting in XSS.Details
In the SQL table automation_tree_rules stored in database, the name field is controllable. The writing of dirty data can be done from

automation_tree_rules_form_save()function inautomation_tree_rules.php.Both writing and reading require administrator privileges
The attack starts with the

automation_tree_rules_remove()function inautomation_tree_rules.php.Reading table automation_tree_rules and callingform_confirm()function.Finally arriving at


lib/html.php. Variable$textis not checked and concatenated directly, resulting in XSS.PoC
POST access
automation_tree_rules.phpand submit the following data:check field in tableautomation_tree_rules table.

GET access : "http://ip:port/automation_graph_rules.php?action=remove&id=4".

Researcher: ISHGARD-2, USTC