Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
An issue was discovered in b3log Symphony (aka Sym) before v3.4.7. XSS exists via the userIntro and userNickname fields to processor/SettingsProcessor.java.
Advisories for Maven/Org.b3log/Symphony package
2019
2017
Cross-site Scripting
b3log Symphony allows an XSS attack by sending a private letter with a certain /article URI, and a second private letter with a modified title.
Cross-site Scripting
b3log Symphony does not properly address XSS in JSON objects.
Cross-site Scripting
b3log Symphony has an XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP address in /admin/user/userid.