Introduction

Smart-SSO is a lightweight, high-availability Single Sign-On (SSO) authentication and authorization center built on SpringBoot and OAuth2 protocol with RBAC (Role-Based Access Control) permission design.

Stored XSS vulnerabilities allow attackers to permanently store malicious scripts on the target server. When other users visit the affected page, the malicious script is executed.

Affected Versions

Smart-SSO 2.1.1 and earlier

Analysis Details

Vulnerable Location: smart-sso-server/src/main/java/openjoe/smart/sso/server/controller/admin/UserController.java

// Lines 105-134
@Operation(summary = "新增/修改提交")
@ResponseBody
@RequestMapping(value = "/save", method = RequestMethod.POST)
public Result save(
        @RequestParam(required = false) Long id,
        @RequestParam Long officeId,
        @RequestParam(required = false) String name,
        @RequestParam String account,
        @RequestParam(required = false) String password,
        @RequestParam Boolean isEnable) {
    // ...
    user.setName(name);  // Direct storage of user input without filtering
    user.setAccount(account);
    // ...
    userService.saveOrUpdate(user);
    return Result.success();
}

Vulnerability Analysis:

• User input for name parameter is directly stored to database
• No HTML escaping or input validation is performed
• FreeMarker uses .html extension, auto-escaping is NOT enabled by default
• When administrators view the user list, XSS payload will be executed

Affected Template File: smart-sso-server/src/main/resources/templates/admin/role-edit.html

<!-- Line 48 - textarea field, highly vulnerable to XSS -->
<textarea id="_description" name="description"...>${role.description!}</textarea>

POC

via attribute injection

" autofocus onfocus="alert(1)