Description
b3log Symphony (aka Sym) 2.2.0 has XSS in processor/AdminProcessor.java in the admin console, as demonstrated by a crafted X-Forwarded-For HTTP header that is mishandled during display of a client IP address in /admin/user/userid.
Remediation
References
https://github.com/b3log/symphony/issues/503
Related Vulnerabilities
CVE-2020-11022 Vulnerability in maven package org.fujion.webjars:jquery
CVE-2018-16479 Vulnerability in npm package http-live-simulator
CVE-2020-7729 Vulnerability in maven package org.webjars.npm:grunt
CVE-2018-18389 Vulnerability in maven package org.neo4j:neo4j-security-enterprise
CVE-2023-33546 Vulnerability in maven package org.codehaus.janino:janino-parent